Port 53 flood on IPS

[dcol]

Looking for some opinions on what I am experiencing here on a test server
I setup about 20 or so of the worst hacking countries in a GeoIP IPS User rule. I called the rule CountryDrop
Now I see constant port 53 blocks as per the alert sample below. This is flooding my alerts.

2018-02-08T13:29:36.929368-0700   blocked   wan   89.238.172.15   53   98.100.100.100   36400   CountryDrop   
2018-02-08T13:29:36.929368-0700   blocked   wan   89.238.172.15   53   98.100.100.100   36400   CountryDrop   
2018-02-08T13:29:35.102353-0700   blocked   wan   52.16.170.168   53   98.100.100.100   42588   CountryDrop   
2018-02-08T13:29:35.102353-0700   blocked   wan   52.16.170.168   53   98.100.100.100   42588   CountryDrop   
2018-02-08T13:29:35.099439-0700   blocked   wan   52.16.170.168   53   98.100.100.100   61676   CountryDrop   
2018-02-08T13:29:35.099439-0700   blocked   wan   52.16.170.168   53   98.100.100.100   61676   CountryDrop   
2018-02-08T13:29:34.094185-0700   blocked   wan   52.211.135.60   53   98.100.100.100   48337   CountryDrop   
2018-02-08T13:29:34.094185-0700   blocked   wan   52.211.135.60   53   98.100.100.100   48337   CountryDrop   
2018-02-08T13:29:34.090273-0700   blocked   wan   52.211.98.161   53   98.100.100.100   60257   CountryDrop   
2018-02-08T13:29:34.090273-0700   blocked   wan   52.211.98.161   53   98.100.100.100   60257   CountryDrop   
2018-02-08T13:29:33.088055-0700   blocked   wan   52.211.135.60   53   98.100.100.100   18155   CountryDrop   
2018-02-08T13:29:33.088055-0700   blocked   wan   52.211.135.60   53   98.100.100.100   18155   CountryDrop   
2018-02-08T13:29:33.083584-0700   blocked   wan   52.211.98.161   53   98.100.100.100   52195   CountryDrop   
2018-02-08T13:29:33.083584-0700   blocked   wan   52.211.98.161   53   98.100.100.100   52195   CountryDrop   
2018-02-08T13:29:30.076034-0700   blocked   wan   52.16.170.168   53   98.100.100.100   58362   CountryDrop   
2018-02-08T13:29:30.076034-0700   blocked   wan   52.16.170.168   53   98.100.100.100   58362   CountryDrop
2018-02-08T13:29:30.072087-0700   blocked   wan   52.211.135.60   53   98.100.100.100   35872   CountryDrop   
2018-02-08T13:29:30.072087-0700   blocked   wan   52.211.135.60   53   98.100.100.100   35872   CountryDrop   
2018-02-08T13:29:27.067258-0700   blocked   wan   52.16.170.168   53   98.100.100.100   43580   CountryDrop   
2018-02-08T13:29:27.067258-0700   blocked   wan   52.16.170.168   53   98.100.100.100   43580   CountryDrop   
2018-02-08T13:29:27.056593-0700   blocked   wan   52.211.135.60   53   98.100.100.100   16827   CountryDrop   
2018-02-08T13:29:27.056593-0700   blocked   wan   52.211.135.60   53   98.100.100.100   16827   CountryDrop   
2018-02-08T13:29:24.049596-0700   blocked   wan   52.16.170.168   53   98.100.100.100   48315   CountryDrop   
2018-02-08T13:29:24.049596-0700   blocked   wan   52.16.170.168   53   98.100.100.100   48315   CountryDrop   
2018-02-08T13:29:24.038289-0700   blocked   wan   52.211.98.161   53   98.100.100.100   36898   CountryDrop   
2018-02-08T13:29:24.038289-0700   blocked   wan   52.211.98.161   53   98.100.100.100   36898   CountryDrop

Most of this port 53 traffic is coming from Sweden and the Netherlands.
Is this a DOS attack from these countries, or is this legitimate traffic trying to probe for DNS info? By the way I do not have a DNS server running on this network. IP 98.100.100.100 would be my local workstation traffic.
If I remove the GeoIP ruleset from IPS, then this traffic would just end up in the firewall alerts if I used a GeoIP firewall rule. And I did not see this traffic yesterday. The only change I made today was to update to 18.1.12. And I already had the IPS -drop patch installed in 18.1.11 two days ago.

Just looking for some opinions on this traffic.

[elektroinside]

Thinking if blocking entire countries is a good idea.
Wouldn't you be safer to cover a selected number of attacking IPs from all over the world instead of countries?

Something like: https://iplists.firehol.org/

Found it to be more helpful (more dropped stuff and also better performance wise) than GeoIP blocking.

Firehol lists are very good IMO.

[dcol]

I agree, Firehol is great for IPS in a general use firewall.

I did an inspection of the last 25 or so IP's of the blocked country hits with GeoIP and none of them were in the firehol list. But I did move the Scandinavia countries to the firewall. That reduced my IPS hits by 50%. But could change tomorrow.

If I were running a firewall for internet users, I would open up all those countries and use a more conservative approach, but this firewall is for web and email servers that have no business outside the US and a few select countries. If I add a local workstation network to one of these firewalls, then I would use GeoIP in the firewall only to block traffic to the servers and firehol to block traffic to the workstations and not use GeoIP blocking in IPS at all.

My custom drop IPS rules gets rid of 95% of unwanted WAN traffic by dropping unused ports. Which IMO is the best approach in any environment that has a trusted internal network but does require close monitoring in the beginning. This paired with custom pass rules to match known good outbound ports and inbound IPs reduces stress on IPS. Now that OPNsense has better IPS monitoring, this approach is my favorite and simple to maintain in the long haul.

Ultimately the firewall configuration should match the usage. There really is no 'one size fits all' solution.

[nqnguyen2]

Without knowing additional details it's hard to tell why you see that in IPS.

The closest thing I've seen on my network regarding port 53 was when I ran DNS benchmark tools on my desktop. There must've been faulty TTL or something because after the test was completed, I saw tons of blocked DNS entries in my firewall log as if the DNS traffic finally came back after the states were closed.

I also see a lot of DNS traffic when using Chrome without browsing to any websites.

[dcol]

But what I am really curious about is if this DNS traffic could be legit. Maybe it is other DNS servers doing legit queries to the OPNsense DNS Resolver. Although most of these IP's are from the top 10 hacker countries.
Should I allow port 53 from any external IP outer than my own ISP DNS servers?
By the way there are no computers running on the source port, only OPNsense.

[elektroinside]

No way, you should never allow access to your DNS server from the internet. Never ever The proper way to access your internal DNS server, if needed, is via a VPN (if coming from the internet)...

[dcol]

Not running a DNS server on that IP unless you consider OPNsense a DNS server. I thought that the DNS Resolver was just for internal queries. I use the ISP for external.

Man I get a lot of hits on that port. probably about 1000 an hour. And this is not even a well used IP, just a testing server I turn on when I need to test stuff. Glad IPS is blocking it.

[elektroinside]

It is for internal queries, that is why it should never be opened to the internet. But it also forwards queries to your upstream DNS servers (as all DNS servers do), so theoretically it could be used from the internet.

1000 blocked connections/h sounds to me as a targeted attack at least, if not flood. If I were you, I would also verify the LAN clients, check if there's a malware somewhere sending data to the outside world... It is definitely way above normal traffic "noise".

[dcol]

There are no LAN users on that firewall, yet. And it is the LAN IP that is getting hit, not the server IP.
DNS has outbound access to forward queries and that seems to be working ok as are internal queries.
They keep on coming. You would think it would stop since they aren't getting any response. And it is always a different IP from those hacking countries.

[elektroinside]

Well.. the US is a heavily targeted country, many attacks go there... The attackers must like your IP

[nqnguyen2]

Strange that you're being targeted as if you're highly valued target.

I agree that you should keep blocking those inbound DNS traffic. DNS queries should be stateful in the firewall in this order; LAN to WAN to LAN. DNS in practice shouldn't be accepted if unsolicited from WAN.

[dcol]

Problem is some may be responses to my DNS queries from OPNsense Unbound. I do not run a DNS server. So I now let them in but hardened my GeoIP block and added filehol. Should I really just block all inbound port 53? Except of course my own ISP DNS IP's.

[phoenix]

Problem is some may be responses to my DNS queries from OPNsense Unbound. I do not run a DNS server.

No, they should not.

So I now let them in but hardened my GeoIP block and added filehol. Should I really just block all inbound port 53? Except of course my own ISP DNS IP's.

Yes, you should block all inbound port 53 and ,as already been said, you should never allow a ;local DNS server be seen by anything on the internet. I run a local DNS server and I have no specific ports open (inbound or outbound) that relate to DNS, my systems all work fine.

Just out of interest, is your DNS server located on the LAN or WAN interface?

[dcol]

Don't have a DNS server I use Outbound (DNS Resolver) and the IPS DNS.
I will shut down port 53 and allow only traffic from the ISP DNS servers

[phoenix]

Don't have a DNS server I use Outbound (DNS Resolver) and the IPS DNS.
I will shut down port 53 and allow only traffic from the ISP DNS servers

You should not need to 'allow' and DNS servers access to anything inside your network. As I mentioned, I use a DNS Authoritative Server and DNS Recursor inside my lan and no external server needs specific access my my recursor.