Best way to block a specific query or IP from reaching the DNS Server


  • Greetings,

    We have been noticing an increasing number of DDoS attacks against our DNS servers located in the DMZ (Server 2008 R2).  Recursion is disabled, so we only give valid responses to zones that we are authoritative for.

    My problem, is that we are receiving traffic floods on the order of 10 requests per second simultaneously from multiple sources.  Since DNS responds with a non-authorative response effectively saying "that zone isn't here, go somewhere else" it still consumes resources.  To combat this, I implemented a QoS policy for outbound traffic to limit the bandwidth, so other services on our network are not affected.  The QoS policy works well, but I fear that some legitimate DNS requests may get lost as a result.

    These malicious floods are querying for the same zone ( for which we are not authoritative.  Since I am clearly just a middleman in an attempted attack against I would like to stop the DNS server from sending ANYTHING back to these queries.

    So, is there a way to block a specific query from ever reaching the DNS server?  The best solution in my mind would be some type of intelligent policy that effectively says "hey, this guy has asked for the same information 200 in the last 20 seconds.  Let's stop forwarding his requests to port 53."

    I'm thinking windows firewall, or some other type of policy here.

    We are looking at security appliances that will do this very thing, and will likely end up there.  It just seems like there should be a way for Windows to handle this on it's own.

    2012年6月26日 下午 02:39