Stopping Open DNS - Billion

From AAISP Support Site
Revision as of 10:04, 18 Haziran 2013 by AA-Andrew (talk | contribs) (Created page with "=Billion= Billion routers appear to have a built-in DNS resolver, and answer queries on the WAN interface by default, so is vulnerable to taking part in DDoS attacks by reply...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Billion

Billion routers appear to have a built-in DNS resolver, and answer queries on the WAN interface by default, so is vulnerable to taking part in DDoS attacks by replying to spoofed dns queries. Screenshot below shows how to block this in filters.

This was tested on Firmware Version : 2.7.0.23(UE0.C2C)3.5.10.1

 

Please note that on these routers this does not prevent the router's internal resolver from doing the DNS lookup itself. This isn't usually a problem, but due to recent DNS amplification attacks sometimes lookups have continued after fixing the original problem. To prevent this add a rule blocking DNS *from* the router's WAN IP *to* port 53. This will prevent usage of the router as the LAN's DNS resolver.