LF_BIND not blocking DNS UDP 53 traffic

This forum is only for reproducible bugs with csf and lfd (i.e. not iptables problems, lack of understanding how to use a feature, etc). Posts must be accompanied with full technical details of the problem and how it can be recreated. Any posts not adhering to this, or not considered bugs, will be moved to the General Discussion (csf) forum.
Post Reply
f5afr2nwoyz
Junior Member
Posts: 2
Joined: 14 Oct 2014, 20:05

LF_BIND not blocking DNS UDP 53 traffic

Post by f5afr2nwoyz »

When configuring LF_BIND for detection of repeated BIND denied requests, LFD detects and temporarily blocks TCP port 53 for the offending IP address but leaves UDP port 53 open for the attacks to continue. This can be verified by examining the temporary block list and the active IP tables rules.

Example:
1 0 0 DROP tcp -- !lo * 192.221.138.116 0.0.0.0/0 tcp dpt:53

Eventually the IP reaches the LF_PERMBLOCK_COUNT and all traffic is dropped for the offending IP, but this should have been done sooner using temporary blocks.

Per specs, DNS uses both TCP and UDP port 53 to respond to queries.

From all of my testing this appears to be a bug and I am unable to find a way to configure LFD to block UDP port 53 as well for DNS so I am reporting this as such.
ForumAdmin
Moderator
Posts: 1523
Joined: 01 Oct 2008, 09:24

Re: LF_BIND not blocking DNS UDP 53 traffic

Post by ForumAdmin »

We'll implement a fix for this in the next release. The only way around the problem until then would be to disable per port blocking (LF_SELECT).
ForumAdmin
Moderator
Posts: 1523
Joined: 01 Oct 2008, 09:24

Re: LF_BIND not blocking DNS UDP 53 traffic

Post by ForumAdmin »

This should now be addressed in csf v7.55:
http://blog.configserver.com/
Post Reply