Protecting the primary DNS server on your router

In a comment to my post describing how to make a router into a primary DNS server, one of the readers noted that you could easily overload a router doing that ... and he's obviously right.

Apart from having too many valid DNS requests for the zone the router is responsible for, the observed behavior could be spam-related. Just a few days ago when I've discussed the router-based DNS server with my security engineers, they've pointed out that a lot of spammers perform regular DNS attacks trying to poison the DNS cache of unpatched open caching DNS servers.

Obviously, a router is no match in raw CPU power to a high-end server, so even when running the authoritative server on the router, it might not be a bad idea to use a DNS server of your ISP as the secondary DNS and list only the ISP's DNS server in the NS records for your zone. This would deflect most of the traffic (as nobody would know your router is acting as a DNS server), but I would still apply an inbound access-list allowing only DNS queries from the secondary name server on the Internet-facing interface.

Alternatively, you could protect the router with Control Plane Policing and drop excessive DNS request packets, but that would affect the queries you should respond to as well.

6 comments:

  1. Still, a router's job is to route packets. It was not designed to be a dns server.

    ReplyDelete
  2. Well, no-one can disagree with your comment. However, not all routers deployed today are highly utilized (for example, my 800-series router having only an ISDN uplink is bored most of the time), so it makes sense to reuse them to provide other services as well (assuming, of course, you take measures to protect them from being overloaded) ... or you might need a quick fix to a network problem and having a router that can provide extra services really helps if you know how to use them.

    I've also seen people who use pretty powerful boxes (7200-series or 7300-series routers) to provide solely the BGP route reflection service, as well as ingenious networking engineers who deployed boxes phased out of production network to serve as various servers (for example, NTP server).

    ReplyDelete
  3. Hi,

    I have an IPSec VPN between 2 sites.
    Do you have any idea whether it's possible to route email for 1 particular domain (@company.com) over the VPN?

    ReplyDelete
  4. Of course it can be done. Most mail servers support static (mail) routing configuration for a domain. For example, the Exchange 2003 message routing configuration is described here.

    If you configure the destination mail server for company.com to be an address reachable over the IPSec VPN (the mail server on the other site), the mail for that domain will be delivered over the VPN.

    ReplyDelete
  5. When I enabled the DNS server on my router it had issues until I realized it was DNS proxying to it's self. Once I did a

    no ip name-server 10.1.1.1

    , where 10.1.1.1 is the routers own f0/0 interface, the issues went away.

    I'm just learning so I have no idea what I'm doing most of the time. I just try things and see what happens but I was wondering if this could be the cause of high utilization others are seeing.

    ReplyDelete
  6. I haven't tried to recreate the scenario where a router would try to use itself as a DNS server. I tried to do something similar a while ago and failed miserably - it simply wouldn't work, so I doubt that you could generate a DNS loop resulting in high CPU utilization this way.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.