10-16-2018 10:42 AM
I'm in a fairly large environment that is not easily persuaded to remediate anything. My Reporting appliance has been getting slammed with NXDOMAIN queries (they are not a DDOS attack or anything, they are actually valid queries) for servers/applications that have been decommissioned for YEARS, yet client workstations are still making the queries.
I've been toying with the idea of creating a Blacklist of the top 20 or so NXDOMAIN queries for some time now - my main question is if I were to implement this and set the action for the DNS appliance to respond with a 'REFUSED' response, would those queries getting logged to syslog and/or the Reporting appliance? Would that create any additional CPU usage load, QPS load, or have any overall negative effect to my environment etc.?
My concern to do this is that these queries are happening at an alarming rate (three records for one application is generating over 4 million NXDOMAIN entries over a 24 hour period alone = 12 million+ queries) is that these are flooding the logs and reports and it'll take forever for us a actually notice a postive attack result while also hindering our ability to troubleshoot actual system issues.
Appreciate the feedback ahead of time.
10-23-2018 12:01 PM
I know that it would be cruel, but you could give it a looback IP (127.0.0.1) as the response with a very long TTL. If the host/device/app is using TTL properly it would dramatically cut down on your query load for those specific names.
We do something similar for things that we block. We return a specific IP for a given list so we can tell easily what blacklist it's hitting in the RPZ. This way we can report on source/destination/etc and see if things are corrected over time.