ADC

Mitigate DNS DDoS attacks

DNS servers are one of the most critical components of a network, and they must be defended against attacks. One of the most basic types of DNS attacks is the DDoS attack. Attacks of this type are on the rise and can be destructive. You can do the following to mitigate DDoS attacks:

  • Flush negative records.
  • Restrict the time to live (TTL) of negative records.
  • Preserve Citrix ADC memory by limiting the memory consumed by the DNS cache.
  • Retain DNS records in the cache.
  • Enable DNS cache bypass.

You can also limit DNS queries to a single packet and thus prevent Slowloris attacks.

Flush negative records

A DNS attack fills the cache with negative records (NXDOMAIN and NODATA). As a result, responses to legitimate requests are not cached, so new requests are sent to a back-end server for DNS resolution. Responses are therefore delayed.

You can now flush the negative DNS records from the Citrix ADC appliance’s DNS cache.

Flush negative cache records by using the CLI

At the command prompt, type:

flush dns proxyrecords -type (dnsRecordType | negRecType) NXDOMAIN | NODATA

Example:

flush dns proxyrecords –negRecType NODATA

Flush of negative cache records by using the GUI

  1. Navigate to Configuration > Traffic Management > DNS > Records.
  2. In the details pane, click Flush Proxy Records.
  3. In the Flush Type box, select Negative Records.
  4. In the Negative Records Type box, select either NXDOMAIN or NODATA.

Protection against random subdomain and NXDOMAIN attacks

To prevent random subdomain and NXDOMAIN attacks, you can restrict the DNS cache memory, and you can adjust the TTL values for negative records.

To limit the amount of memory consumed by the DNS cache, you can specify the maximum cache size and the cache size (in MB) for storing negative responses. When either limit is reached, no more entries are added to the cache. Also, syslog messages are logged and, if you have configured SNMP traps, SNMP traps are generated. If these limits are not set, caching continues until the system memory is exhausted.

A higher TTL value for negative records can result in storing records that are not valuable for a long time. A lower TTL value results in sending more requests to the back-end server.

The TTL of the negative record is set to a value that can be the lesser of the TTL value or the ”Expires” value of the SOA record.

Note:

  • This limitation is added per packet engine. For example, if the maxCacheSize is set to 5 MB and the appliance has 3 packet engines, the total cache size is 15 MB.
  • The cache size for the negative records must be less than or equal to the maximum cache size.
  • If you reduce the DNS cache memory limit to a value lower than the amount of data already cached, the cache size remains above the limit until the data ages out. That is, exceeds its TTL0 or is flushed (flush dns proxyrecords command, or Flush Proxy Records in the Citrix ADC GUI).
  • To configure SNMP traps, see Configuring the NetScaler to Generate SNMP Traps.

Limit the memory consumed by the DNS Cache by using the CLI

At the command prompt, type:

set dns parameter -maxCacheSize <MBytes> -maxNegativeCacheSize <MBytes>

Example:

set dns parameter - maxCacheSize 100 -maxNegativeCacheSize 25

Limit the memory consumed by the DNS Cache by using the GUI

Navigate to Configuration > Traffic Management > DNS, click Change DNS Settings, and set the following parameters:

  • Max Cache Size in MB
  • Max Negative Cache Size in MB

Restrict the TTL of negative records by using the CLI

At the command prompt, type:

set dns parameter -maxnegcacheTTL <secs>

Example:

set dns parameter -maxnegcacheTTL 360

Restrict the TTL of negative records by using the GUI

  1. Navigate to Configuration > Traffic Management > DNS.
  2. Click Change DNS Settings and set the Max Negative Cache TTL in sec parameter.

Retain DNS records in the cache

An attack can flood the DNS cache with non-important entries but can cause flushing of the already cached legitimate records to make room for the new entries. To prevent attacks from filling the cache with invalid data, you can retain the legitimate records even after they exceed their TTL values.

If you enable the cacheNoExpire parameter, the records currently in the cache are retained until you disable the parameter.

Note:

  • This option can be used only when the maximum cache size is specified (maxCacheSize parameter).
  • If maxnegcacheTTL is configured and cacheNoExpire is enabled, cacheNoExpire takes priority.

Retain DNS records in the cache by using the CLI

At the command prompt, type:

set dns parameter -cacheNoExpire ( ENABLED | DISABLED)

Example:

set dns parameter -cacheNoExpire ENABLED

Retain DNS records in the cache by using the GUI

  1. Navigate to Configuration > Traffic Management > DNS and click Change DNS Settings.
  2. Select Cache No Expire.

Enable DNS cache bypass

For greater visibility and control of DNS requests, set the cacheHitBypass parameter to forward all requests to the back-end servers and allow the cache to be built but not used. After the cache is built, you can disable the parameter so that requests are served from the cache.

Enable DNS cache bypass by using the CLI

At the command prompt, type:

set dns parameter -cacheHitBypass ( ENABLED | DISABLED )

Example:

set dns parameter -cacheHitBypass ENABLED

Enable DNS cache bypass by using the GUI

  1. Navigate to Configuration > Traffic Management > DNS and click Change DNS Settings.
  2. Select Cache Hit Bypass.

Prevent the Slowloris attack

A DNS query spanning multiple packets, presents the potential threat of a Slowloris attack. The Citrix ADC appliance can silently drop DNS queries that are split into multiple packets.

You can set the splitPktQueryProcessing parameter to ALLOW or DROP a DNS query if the query is split into multiple packets.

Note: This setting is applicable only for DNS TCP.

Limit the DNS queries to a single packet by using the CLI

At the command prompt, type:

set dns parameter -splitPktQueryProcessing ( ALLOW | DROP )

Example:

set dns parameter -splitPktQueryProcessing DROP

Limit DNS queries to a single packet by using the GUI

  1. Navigate to Configuration > Traffic Management > DNS and click Change DNS Settings.
  2. In the Split Packet Query Processing box, choose ALLOW or DROP.

Collect statistics of the DNS responses served from the cache

You can collect statistics of the DNS responses served from the cache. Then use these statistics to create a threshold beyond which more DNS traffic is dropped, and enforce this threshold with a bandwidth based policy. Previously, bandwidth calculation for a DNS load balancing virtual server was not accurate, because the number of requests served from the cache was not reported.

In proxy mode, the statistics for Request bytes, Response bytes, Total Packets received, and Total Packets sent statistics are continuously updated. Previously, these statistics were not always updated, particularly for a DNS load balancing virtual server.

Proxy mode also now enables you to determine the number of DNS responses served from the cache. To collect these statistics, the following options have been added to the stat lb vserver <DNSvirtualServerName> command:

  • Requests – Total number of requests received by the DNS or DNS_TCP virtual server. Includes the requests forwarded to the back end and the requests answered from the cache.
  • Vserver hits –Total number of requests forwarded to the back end. The number of requests served from the cache is the difference between the total number of requests and the number of requests served from the virtual server.
  • Responses – Total number of responses sent by this virtual server. For example, if a DNS LB virtual server received 5 DNS requests, forwarded 3 of them to the back end, and served 2 of them from the cache, the corresponding value of each of these statistics would be as follows:
    • Vserver hits: 3
    • Requests: 5
    • Responses: 5
Mitigate DNS DDoS attacks