recursive DNS server packet filters

2016-03-02 - News - Tony Finch

Yesterday I changed the iptables packet filters on the central recursive DNS servers, and, to harden them against denial of service attacks from outside the CUDN.

Previously we were rejecting queries from outside the CUDN using DNS-level REFUSED responses; now, TCP connections from outside the CUDN are rejected at the network layer using ICMP connection refused.

This change should not have any visible effect; I am letting you know because others who run DNS servers on the CUDN might want to make a similar change, and because there is some interesting background.

For most purposes, incoming DNS queries are blocked by the JANET border packet filters. You only really need an exemption to this block for authoritative DNS servers. If you are running recursive-only DNS servers that are exempted from the port 53 block, you should consider changing your packet filters.

The particular reason for this change is that BIND's TCP connection listener is trivially easy to flood. The inspiration for this change is a cleverly evil exploit announced by Cloudflare earlier this week which relies on TCP connection flooding. Although their particular attack doesn't work with BIND, it would still be unpleasant if anyone tried it on us.

I have published a blog article with more background and context at