Rate limit open DNS resolvers
If you self-host a DNS server you should take care of security. One of the protocols involved with DNS is UDP. Attackers may abuse publicly available open resolvers for DNS Amplification DDoS attacks . Something that cost me some nights when I was doing hands-on incident response.
Why would you ever need to host anything with DNS?
We decided that it was time for a new TV, and naively decided to buy an internet-connected Samsung TV. At some point in time it showed embedded advertisements. Research yielded that this isn’t a unique phenomenon. because Samsung thinks that they are entitled to spam you on your TV.
One way to block these nasty ads, that may also violate consumer and GDPR data subject-rights in the EU, is self-hosting a DNS server with filtering capabilities.
Technitium DNS is a feature-rich DNS server, that allows to incorporate block-lists for such issues. Not only will this enhance our comfort while watching TV, it will also enhance privacy and security.
DNS over TLS and HTTP
The features include modern DNS protocols. Self-hosting servers, which are capable to provide these DNS protocols is useful.
But rate-limits for Technitium DNS are still on the road-map. Hosting this on a public IP therefore may not be ideal.
Update - Technitium QPM features
2021-08-21T22:00:00Z – since a couple of weeks Technitium offers rate limiting features.
I decided to block individual clients (/32 for IPv4 IPs and /64 for IPv6) based on certain limits. Clients may exceed the rate limit here for a given period of 5 minutes, but if the average amount of DNS queries is too high over time they get blocked. Imho that makes the most sense, because after wakeup from sleep mode clients may make lots of DNS queries. No need to block legit queries.
Donations go here: Technitium is creating Software | Patreon
Generally, it doesn’t hurt to use pfSense traffic limiters as well, but it may not be 100% necessary anymore. It is interesting though how fast you’ll get malicious clients just by making a DNS resolver available on the internet.
Using pfSense Limiters
In order to protect an open UDP DNS resolver without rate-limiting features, you can use a modern firewall.
You can apply a traffic rate-limit to UDP port 53.
What these In / Out pipes do is adding schedulers and queues to the traffic flows.
You allow a default bandwidth, which you can apply globally or per IP even. In this case it’s a simple global bandwidth limit with a scheduler that doesn’t impair latency until that point.
Testing the UDP traffic-limit
One of the more conservative bandwidth test tools is iperf3. It needs a client - server setup, which makes sense especially when we have to measure UDP throughput variance.
On the picture below shell (black background, blue font) is the server. As you can see it reports appox. 65 - 130 Kbit/s. That is appropriate for this measurement. It’s not bursting, and that the intention.
- pfSense Limiters are useful for traffic limits
- Technitium DNS is useful for comfort, privacy and security
- Technology is complex, and you should be careful with self-hosting open resolvers
- Samsung TVs can embed advertisements and I hope that there will be heavy fines