Running a public name server on the Internet today can be challenging with the never ending flood of attacks against it. The situation only gets worse if you're an ISP that is providing recursive lookups for customers.
Some customer hosts become compromised and are used to send SPAM, which in turn sends thousands of DNS requests per minute to your name server as they seek their recipients mail server addresses. Other customer hosts are configured to resolve their web server's log file or their mail server to perform envelope verification, which results in bursts of DNS requests. The end result of these situations and others is that often that your public name server becomes over worked and is unable to reliably answer DNS requests for other non-abusive hosts.
There are many solutions to these types of issues, such as throwing more servers at it or buying specialized hardware solutions or firewalls that help to protect against abusive traffic. Another solution, if your running your name server on a Linux system is PHREL.
PHREL is a Per Host RatE Limiter written in C to efficiently track the rate of incoming traffic on a per host basis and insert a chain into iptables when a configured threshold is crossed. The inserted chain may either rate limit or completely block the offending host for a period of time and will be automatically removed when the offending host's traffic levels return to normal. PHREL can be used with any type of traffic, but it is particularly well suited to protecting name servers from random hosts that flood DNS requests and preventing SSH brute force login attempts.
To use PHREL to protect your name server, install it directly on your name server by following the included install instructions. Visit the PHREL website to download a copy of the software.
Once PHREL is installed, it can be configured to accept its thresholds and other settings either via the command line or a configuration file. For the purposes of this article, we'll stick with the command line.
Since we're protecting a name server, we'll need to tell phreld (the PHREL daemon), to track incoming traffic on UDP port 53 (DNS) and specify what behavior we'd like for each threshold. The command below, instructs phreld to use a threshold of 50 PPS (packets per second) with traffic being rate limited to 25 PPS if that threshold is crossed. Additionally, a threshold of 150 PPS is configured with traffic being completely blocked if a host reaches that traffic level.
# /usr/local/bin/phreld -P udp -p 53 -T50:25 -T150:0
If you have hosts that you'd like PHREL to not block or enforce rate limiting against, that can be accomplished by using the -X (exclude) option. Also of note, the IP address of the host on which phreld is run, is automatically excluded. For example, if you'd like to exclude servers within 220.127.116.11/24 and the host 18.104.22.168, modify the command line above like so.
# /usr/local/bin/phreld -P udp -p 53 -T50:25 -T150:0 -X 22.214.171.124/24 -X 126.96.36.199
As PHREL takes action against abusive hosts, it will log everything it does to syslog. Optionally, PHREL can be configured to also generate SNMP traps, which allows for easy integration with a network management system such as SellaNMS.
There are many more options available to customize how PHREL operates. See the man page for the available options and feel free to visit the PHREL support forum if you have questions.