We have been noticing an increasing number of DDoS attacks against our DNS servers located in the DMZ (Server 2008 R2). Recursion is disabled, so we only give valid responses to zones that we are authoritative for.
My problem, is that we are receiving traffic floods on the order of 10 requests per second simultaneously from multiple sources. Since DNS responds with a non-authorative response effectively saying "that zone isn't here, go somewhere else" it still
consumes resources. To combat this, I implemented a QoS policy for outbound traffic to limit the bandwidth, so other services on our network are not affected. The QoS policy works well, but I fear that some legitimate DNS requests may get lost
as a result.
These malicious floods are querying for the same zone (isc.org) for which we are not authoritative. Since I am clearly just a middleman in an attempted attack against ISC.org I would like to stop the DNS server from sending ANYTHING back to these queries.
So, is there a way to block a specific query from ever reaching the DNS server? The best solution in my mind would be some type of intelligent policy that effectively says "hey, this guy has asked for the same information 200 in the last 20 seconds.
Let's stop forwarding his requests to port 53."
I'm thinking windows firewall, or some other type of policy here.
We are looking at security appliances that will do this very thing, and will likely end up there. It just seems like there should be a way for Windows to handle this on it's own.
I think we have not much option to prevent the DDoS attack by using the windows built-in feature but will suggest to have whatever hardware or software based router or firewall devices (for example , TMG/ISA)and set it in front of server in order to
protect it to against the attacks form internet :
Planning to protect against denial of service flood attacks