Any enterprise that uses open recursive DNS is vulnerable to the following popular attacks:
To have your server abused by attackers and used as a tool of decentralized denial of service (DDoS), that might imply in the following consequences:
- The huge amount of received fake DNS consultationt and specially the amount of answers sent to the victim can consume a considerable bandwidth;
- Depending on the internet provider contract an open DNS abuse can be liable to DDoS attacks caused to third parties.
The BrbOS counts with a powerful and lightweight ACL tool to filter the clients requests (https://brbos.brbyte.com/dns/acl-control), the BrBOS also counts with a DNS IP RateLimit on wich is possible:
- Analise which clients are causing a high consumption of requests;
- Limit the received requisitions to the DNS server;
- Mitigate amplification attacks;
- Avoid sharing;
- Search by IP Address;
- Set a global consultation requisition per second limit by IP Address;
- If the consults surpass the limit set they are completely discarted and will not receive a response (SERVFAIL or other);
- The limitation happens before searching in cache, so it is possible to mitigate amplification attacks.