Hey BarryG,
thanks for your answer.
Spread of the whole day, I have several DNS "attacks" on two of my public ip addresses. currently we provide two public dns server behind the dmz, which are only responsable for a few domains. For that, there is a DNAT rule:
ANY - DNS (53) - public ip (address)
Auto firewall: no
Initial Log: no
Additionally, I have defined a new packet filter for that:
Internet IPv4 - DNS (53) - internal host
However, normally all incoming requests on port 53 through the correct public ip address, should be processed and match with the rule right?
Why then I see this entries in the log files as a default drop? I'm a little bit confused... [:)]
Default DROP UDP 111.111.111.118 : 58108
→ 123.123.123.5 : 53
Over the day the firewall drops 200.000 between 800.000 requests on port 53, requested to the public dns servers.
I´m wondering, why the IPS does not intervene and detect the requests. Some days the system detects 2-3 "DNS amplification attempts". The requests coming from various IP addresses. There is no visible pattern, they are really random. Otherwise i would give the contry blocking-feature a try. The requests take sometimes up to 1-2 hours.... :-(
Any idea?
Thanks!
This thread was automatically locked due to age.
