I currently run a self-hosted AdGuard server and I’ve noticed a series of random and spammy DNS requests coming from CF IPs in my logs:
I’ve never visited
bodybuilding.com. All 716483 requests logged for this domain are from CF IPs:
<image attached below because apparently I can’t include more than 1 image in a first-time post>
I’ve seen this happen before with other domains, but I can’t remember which ones specifically.
As I type this out, I realise that the requests happen over plain DNS which could mean that this is an attempt at a reflected DDoS. Is this likely to be the case or is there some other reason for these random requests?
Aforementioned below-attached image:
Welcome to the Cloudflare Community.
I don’t have an answer for why you are seeing this traffic. I am curious as to why your DNS resolver accepts queries from anywhere other than your own trusted networks.
Because I use this DNS resolver for blocking ads and DoH/DoT on various devices, some of which are mobile and hence, don’t have fixed IP addresses. Configuring each client to have a unique client ID takes a lot of time and sometimes is not possible as far as I’m aware (Android).
Eventually I intend to connect all my devices to an always-on VPN, but that is still work-in-progress.
In the meantime, the resolver is open which I don’t think to be inherently a major issue given that many open resolvers exist. Granted, most of them are operated by organisations with the resources to secure them properly.
If indeed this is an attempt at a reflected DDoS (a lousy one though given that the attacker seems to be targeting multiple servers at the same time and is bouncing off the ratelimiter), I think I will just close UDP port 53 for the time being since I only use DoH/DoT anyway and all of those are secure against amplification DDoS attacks.
That sounds like a good next step.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.