DNS protection from ANY query amplification attacks

Contributed by: pankajnse

Description

  1. This DNS iRule has two parts one each for TCP and UDP VIP
  2. The ask is very simple protect DNS infrastructure from DNS amplification attacks asking for query type ANY
  3. Which intern generates large response to DDOS the system
  4. We could have simply block ANY query type using iRule but that would also block legitimate ANY queries required for certain applications
  5. Instead consider below sample rules with below logic
  6. On UDP VIP rule, if the query type ANY then respond with truncated message which will force the legitimate client to use TCP
  7. If DNS response is not from DNS express and neither it matches the ACL then drop
  8. The TCP VIP will have logic of “If DNS response is not from DNS express and neither it matches the ACL then drop”
  9. make sure to create data group called admin_datagroup
  10. Note this requires GTM license with GTM provisioned or the DNS service license

iRule Source

# UDP VIP iRule


# This first part checks of the DNS query type is ANY and responds with truncated header

#====================================UDP VIP IRULE START==============================
when DNS_REQUEST {
if { [DNS::question type] eq "ANY" } {
  DNS::answer clear
  DNS::header tc 1
  DNS::return
}
}

# This part check if the response packet is built from the first logic (DNS_REQUEST) if yes then exit and do not #process further.
# If not then check if the response is from DNS Express then allow answer for non ANY type.
# If not from DNS Express then check if match the admin_datagroup created for recursive allowed networks. If does not match both conditions then drop.
when DNS_RESPONSE {
if { [DNS::origin] eq "TCL" } {
    return
} elseif { [DNS::origin] ne "DNSX" } {
    if { not [class match [IP::client_addr] eq "admin_datagroup" ] } {
DNS::drop
}
}
}
#====================================UDP VIP IRULE FINISH==============================


#====================================TCP VIP IRULE START==============================
#TCP VIP iRule
# simple logic which is a part of the UDP VIP rule
when DNS_RESPONSE {
if { [DNS::origin] ne "DNSX" } {
    if { not [class match [IP::client_addr] eq "admin_datagroup" ] } {
DNS::drop
}
}
}

#====================================TCP VIP IRULE FINISH==============================

The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.