Any enterprise that uses open recursive DNS is vulnerable to the following popular attacks:

 

To have your server abused by attackers and used as a tool of decentralized denial of service (DDoS), that might imply in the following consequences:

  • The huge amount of received fake DNS consultationt and specially the amount of answers sent to the victim can consume a considerable bandwidth;
  • Depending on the internet provider contract an open DNS abuse can be liable to DDoS attacks caused to third parties.

 

The BrbOS counts with a powerful and lightweight ACL tool to filter the clients requests (https://brbos.brbyte.com/dns/acl-control), the BrBOS also counts with a DNS IP RateLimit on wich is possible:

 

  • Analise which clients are causing a high consumption of requests;
  • Limit the received requisitions to the DNS server;
  • Mitigate amplification attacks;
  • Avoid sharing;
  • Search by IP Address;
  • Set a global consultation requisition per second limit by IP Address;
  • If the consults surpass the limit set they are completely discarted and will not receive a response (SERVFAIL or other);
  • The limitation happens before searching in cache, so it is possible to mitigate amplification attacks.