Hello all, there is a need to restrict a specific type of DNS queries (ANY queries) in our nameservers. We faced a DDoS attack in our resolvers and the thing is that we could not simply cut access to DNS resolution to specific client IPs, the queries came from our own unsuspecting customers.
The situation is similar but not the same as the one discribed here: https://isc.sans.edu/diary.html?storyid=13261 We used IPtables and the string module to match a specific signature of the problematic queries and it worked quite well (in our attack case the problematic queries had a very specific and simple pattern). The question is, if we had OpenBSD and PF as a firewall what could we do to address this? From searching the archives I saw this quite old post http://www.monkey.org/openbsd/archive/misc/0207/msg00743.html I haven't seen any string matching capability in PF for the packet payload. Unless I am missing something, what would your suggestions be in such a scenario? I am interested to hear possible solutions in other layers as well. Regards, Kostas