Block DNS via CM Config | docsis.org

You are here

Block DNS via CM Config

5 posts / 0 new
Last post
ehren8879
Block DNS via CM Config

I'm struggling trying to solve an issue with customers whose CPE are open resolvers. I can solve/mitigate this problem via ACL on our routers, CMTS' or even firewalls, but none of those allow our L1 techs to apply or remove the restrictions.

The open resolvers on our network are resulting in our caching DNS servers participating in amplification attacks.

I'd like to apply IP/Port filters via the CM config that will only allow DNS queries with a particular, contiguous subnet (where our DNS servers reside). I'm attempting to block all other DNS lookups from outside our network.

The network to allow would be, for example 10.0.0.0/24

I've tried "stacking" config filters, but am either able to completely deny DNS or allow it; no different than no filter config at all.

Here's my latest hacky approach (UDP only):

SnmpMibObject docsDevFilterIpIfIndex.1 Integer 0 ;
SnmpMibObject docsDevFilterIpDirection.1 Integer 3;
docsDevFilterIpControl.1 allow
docsDevFilterIpContinue.1 true
SnmpMibObject docsDevFilterIpBroadcast.1 Integer 2;
SnmpMibObject docsDevFilterIpSaddr.1 IPAddress 10.0.0.0 ;
SnmpMibObject docsDevFilterIpSmask.1 IPAddress 255.255.255.0 ;
SnmpMibObject docsDevFilterIpDaddr.1 IPAddress 10.0.0.0 ;
SnmpMibObject docsDevFilterIpDmask.1 IPAddress 255.255.255.0 ;
SnmpMibObject docsDevFilterIpProtocol.1 Integer 17 ;
SnmpMibObject docsDevFilterIpDestPortLow.1 Integer 53 ;
SnmpMibObject docsDevFilterIpDestPortHigh.1 Integer 53 ;
SnmpMibObject docsDevFilterIpStatus.1 Integer 4;

SnmpMibObject docsDevFilterIpIfIndex.2 Integer 0 ;
SnmpMibObject docsDevFilterIpDirection.2 Integer 3;
SnmpMibObject docsDevFilterIpProtocol.2 Integer 17 ;
SnmpMibObject docsDevFilterIpDestPortLow.2 Integer 53 ;
SnmpMibObject docsDevFilterIpDestPortHigh.2 Integer 53 ;
SnmpMibObject docsDevFilterIpStatus.2 Integer 4;

ehren8879
We solved this by filtering

We solved this by filtering on the following criteria. Only one index was necessary:

Protocol: UDP (may consider TCP as well)
Destination port: 53
Interface: CMCI only
Direction: OUT

Works great. Allows customer network to perform DNS look ups to any recursive server on the net, but prevents their network from hosting a DNS server. Exceptions are made for those running Auth DNS or limited recursion (eg. business customers).

mbowe
Ahhh hangon, couple of

Ahhh hangon, couple of different issues here

1) securing your dns resolvers. This would normally be done in the DNS server software, you would permit only your customers to make queries (so in your example 10.0.0.0/24)

2) stopping your customers being exploited. This is where you want to stop queries from the internet from hitting your customer's accidentally open resolver. In our case we banned all DNS lookups towards dynamic IP customers (dynamic IP customer has no reason to host a public resolver) eg put an ACL on the CMTS bundle outbound which is like "deny udp any < dynip_mask> eq domain". That takes away the majority of exploitable IPs. So this just leaves static IP customers who can still be exploited. We dont DNS block queries towards them because they may legitimately be running a DNS server. If we see these customers getting exploited we contact them and ask them to fix. We find they are easy to contact because they have websites / email / daytime phone numbers / IT techs.

If suppose if you want to setup some per-user blocks for static-ip customers you could make some CM config files which emulate the ACL I described above (block udp dst port 53 towards customer)

ehren8879
Update

I was able to solve this problem, but have been unable to post an update.

Now that my posts appear to be showing. My goal was to achieve exactly what mbowe had posted. Block destination port 53 to customer CPE, so that they could not host a DNS server. We did this with direction = outbound, int = CMCI, proto = UDP, port = 53.

Works like a charm. I had trouble at first because I had interface directions, source and destination ports backwards in my head.

ehren8879
I apologize, I posted a

I apologize, I posted a follow up comment, but it never got posted to the board.

I was able to remedy the situation via modem config. Basically I blocked destination UDP port 53, outgoing via CMCI. This prevents users from hosting DNS servers, but allow them to query my caching DNS servers and others.

Log in or register to post comments