Why does Cloudflare try to access DNS on my local network?

I use 1.1.1.1 for my home DNS. I notice in my firewall logs that 1.1.1.1 is attempting to access DNS UDP port 53 on my router. This is blocked of course.
I’m just curious why Cloudflare is doing this?

Every day or so there is will be hundreds of requests from CF.

I somewhat doubt this is Cloudflare. I wonder whether that couldnt be an attempt of some sort of network amplification attempt against Cloudflare.

DNS generally uses UDP. Are you saying there are inbound DNS requests from 1.1.1.1?

Thats what I understand from the OP’s description. Incoming UDP packets on port 53.

1 Like

Yes, I receive incoming requests from 1.1.1.1 and 1.0.0.1. Also, my DNS is hosted on Cloudflare.

Presumably for aforementioned reason. Cloudflare wouldnt send such requests.

I’m curious how an outside attacker could send packets to my network using the IP of 1.1.1.1.

The miracles of UDP :wink:

1 Like

Evil internet.

That’s called spoofing. In this case they try to start a DNS amplification attack where a few Bits can be amplified up to Gigabits

In short:

Attacker sends a small amount of packets to a few (infected) systems. They again send requests to more systems. Once there’s enough bandwidth power, the source IPs will be replaced (spoofed) with the desired target IP. In this case 1.1.1.1.

Al those machines send tons of requests to thousands of IP addresses on port 53. Misconfigured DNS servers will answer to those requests with a few bits. Summarized they will hit the target (1.1.1.1) with hundreds of MBit/s or Gbit/s.

This will cause a Denial of Service or at least overutilization of the target’s network slowing down the responses of 1.1.1.1

They tried to use your connection as a part of an amplification attack.

4 Likes

Very well explained. Just another reason I don’t bother running my own DNS…

1 Like

You can do. But it’s important to know how to configure the resolver and protect it. Configure rate limits, lock down to specific net ranges if you want to operated it as an open resolver.
For private setups a VPN is the best way.

I have a pi-hole running on a VM elsewhere and forwarding all requests to 1.1.1.1. All devices at home use it as resolver through a VPN.

1 Like

Thanks for the explanation. That’s one I didn’t know about before.

Cloudflare actually has a dedicated article about that topic

https://www.Cloudflare.com/learning/ddos/dns-amplification-ddos-attack/

I’d be still careful to really declare it such an attack but from your description it was my first guess.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.