ISC BIND - Guard to protect your DNS server - Freeware
for UNIX operating systems like FreeBSD and Linux distributions.
Preamble
This tool ("Bind Guard") helps you to protect your "ISC BIND"-based DNS server (running as public / open resolver) by detecting DDoS attacks and prevent DNS amplification. After the detection was successfuly the non-friendly remote host will be blocked without any firewall rules. "Bind Guard" is easy to configure and uses the internal ACL features of BIND (aka named).

This tool is the result of an previous attack on my private DNS server and was written completly in C. It's very fast and doesn't need much system resources. For any questions please feel free to contact me by sending an email to my RIPE handle ORS6-RIPE (or to bindguard.at.activezone.de).

"Bind Guard" (aka bindguard) is absolutly Freeware (Click here)

NEWS:
BIND/Guard Next Generation has started on April 30, 2013 and based on a multithreaded daemon with PCAP support.
You can run this complete re-designed program on every place in your network where DNS traffic is capturable.
A new BGChelper process operates on your DNS server or Firewall device as control process over your traffc.
Stay tuned!

Best regards,
Markus

How "Bind Guard" works?
In the last weeks one of my three DNS server was under a massive DoS attack. Every second the "named" process receives over 500 queries from different clients in the world. The queries contains always requests with the same lookup for name "IN ANY RIPE.NET". The result of this attack is now the tool"Bind Guard" and was now installed on all of my servers to protect the resources.

"Bind Guard" is designed to analyze the current "queries.log" of your local named process. Every DNS event will be parsed and stored in an internal database (record chain) with a fast hash function. After the first record for an value with a combination of Host, Domain and QueryType was stored in the database the "Bind Guard" child process holds this in memory for a while. Whenever this combination was detected for the same host again the tool count this.

The data structure contains: Repeat-Counter, Block-Flags, Timestamps for Creation and Updates. Clients that starts attacks to your named will be counted and after an computed Rate-Limit the client was blocked. Blocking means that "Bind Guard" creates ACLs in the "bogon"-Configuration-Part of BIND. On every blocking action "Bind Guard" calls "rndc reconfig" via the libc function "system()" to begin a soft-reconfiguration of your bind. All internal queries from localhost (127.0.0.1) will be ignored.

"Bind Guard" is unable to stop the DoS attack to your server but reduce the CPU-Load and safes your disk space.

This tool is designed as daemon with built-in watchdog functionality. After the process was started he does an double fork(). The first fork() detaches "Bind Guard" from the calling shell/process. The second fork() starts the "worker-child" process and waits for him. When ever the child has an internal problem (e.g. SEGFAULT) the mother process restarts the child process and the work begins again.

ATTENTION:
When ever you find bad queries in your BIND log file please remember it's possible that can be spoofed addresses.



How much Systemrecourses needed?
On startup "Bind Guard" initialize an hash array with a size of 32768 entries (0.25 MB will be used). Every entry in the database using 20 bytes and more. The expiration time is currently defined with 10 minutes. Only entries marked as "blocked" will be stored permanently in the database. All other entries will removed when expiration time was reached. "Bind Guard" doesn't need any "tail" or other shell commands to work (without pipes). Only "rndc" must be available to reconfigure the bind at runtime. "Bind Guard" reports every 60 seconds the current state into your syslog (see below). Logging to syslogd can later also enabled/disabled with a simple "kill -SIGUSR1" to the PID of the child process. When you have disabled syslog in "Bind Guard" every 10 minutes the process wrote a little statistics (Runetime in days, hours ..., PID, Counters). If logging to syslog is enabled on startup - this statistics will be printed every 60 seconds.

TakeOver Function?
This software was written to operate permanently in your environment. After a long time "Bind Guard" holds a less or more big database of possible "bad guys" and statistics in memory. If you want to update your current version the software has an "TakeOver"-Mode (option -T). That means the previous process wrotes the database, statistics, offset from logfile and other parameters to an temporary binary file at /tmp. The next process (started with option -T) waits for the previous process and reads then this information into their memory to continue the work from the last point. This works fine!

This is some output from the current running process with PID 41336 (logging to syslog disabled; Stats every 10 minutes)
Aug 22 08:46:14 svr3 BindGuard: Stats (PID 41336): 102 entries, 8570 updates, 16011 ignored, 0 blocked, 31375 events parsed.
Aug 22 08:46:14 svr3 BindGuard: Used Memory: 0.27 MByte (Index: 262144 Bytes / Entries: 18040 Bytes)
Aug 22 08:46:14 svr3 BindGuard: Version 0.60, Uptime: 2 days, 23 hours, 0 minutes, 4 seconds
Aug 22 08:56:14 svr3 BindGuard: Stats (PID 41336): 24 entries, 8570 updates, 16269 ignored, 0 blocked, 31646 events parsed.
Aug 22 08:56:14 svr3 BindGuard: Used Memory: 0.25 MByte (Index: 262144 Bytes / Entries: 4143 Bytes)
Aug 22 08:56:14 svr3 BindGuard: Version 0.60, Uptime: 2 days, 23 hours, 10 minutes, 4 seconds
Aug 22 09:06:14 svr3 BindGuard: Stats (PID 41336): 15 entries, 8576 updates, 16396 ignored, 0 blocked, 31793 events parsed.
Aug 22 09:06:14 svr3 BindGuard: Used Memory: 0.25 MByte (Index: 262144 Bytes / Entries: 2563 Bytes)
Aug 22 09:06:14 svr3 BindGuard: Version 0.60, Uptime: 2 days, 23 hours, 20 minutes, 4 seconds
Logging to syslog was enabled by using command "kill -SIGUSR1 41336"
Aug 22 09:14:40 svr3 BindGuard: Logging to syslog enabled.
With the following command a new process was started:
/usr/sbin/bindguard -s -d -l /etc/namedb/log/queries -b /etc/namedb/conf/bogon.conf -i x.x.x.x -T
The new process has started and forks an child process with the PID 51733:
Aug 22 09:15:03 svr3 BindGuard: ISC Bind Guard (Master): Child process created with PID 51733
Aug 22 09:15:03 svr3 BindGuard: ISC Bind Guard Version 0.60 (Build 2012082102) for FreeBSD 64-bit
Aug 22 09:15:03 svr3 BindGuard: (C) Copyright 2012 by markusgrundmann.com - All rights reserved.
Aug 22 09:15:03 svr3 BindGuard: ---Running with PID 51733 ---
The next lines informs you about the state of the Takeover procedure:
Aug 22 09:15:03 svr3 BindGuard: Attention: Bind Guard switching into takeover mode.
Aug 22 09:15:03 svr3 BindGuard: Hash size limit is set to 32768 entries (using 262144 bytes)
Aug 22 09:15:03 svr3 BindGuard: Sending signal to PID 41336 for initialize takeover procedure ...
Process with PID 41336 has received the signal ...
Aug 22 09:15:03 svr3 BindGuard: Active Bind Guard (PID 41336) switching to takeover procedure ...
Aug 22 09:15:03 svr3 BindGuard: 12 database objects dumped to '/tmp/.bindguard41336-takeover.db'
The previous process with PID 41336 goes down ...
Aug 22 09:15:03 svr3 BindGuard: Database dumped & Operational mode left. Shutdown.
Aug 22 09:15:03 svr3 BindGuard: ISC Bind Guard (Master): Child (PID 41336) terminated normally.
New process reads the states and database of the previous process ...
Aug 22 09:15:08 svr3 BindGuard: Database dump from PID 41336 version 0.60 found.
Aug 22 09:15:08 svr3 BindGuard: 12 objects loaded from previous process.
---
Aug 22 09:16:08 svr3 BindGuard: Stats (PID 51733): 13 entries, 8578 updates, 16422 ignored, 0 blocked, 31828 events parsed.
Aug 22 09:16:08 svr3 BindGuard: Used Memory: 0.25 MByte (Index: 262144 Bytes / Entries: 2249 Bytes)
Aug 22 09:16:08 svr3 BindGuard: Version 0.60, Uptime: 2 days, 23 hours, 29 minutes, 58 seconds
Aug 22 09:16:08 svr3 BindGuard: Removing expired entry (800c56040) for Host 81.xx.xx.19
Aug 22 09:16:08 svr3 BindGuard: Removing expired entry (800c56100) for Host 2X01:4f8:xx:2c0::201X
Aug 22 09:16:08 svr3 BindGuard: Removing expired entry (800c561c0) for Host 2X01:4f8:xx:2c0::201X

Example Output For A Blocked Host
This example shows an real blocking operation of Bind Guard compiled with GeoIP support:
Mar 27 17:32:34 BindGuard: Host 208.64.27.138 (8011dc460) with query 'isc.org', type 'IN ANY +ED' added.
Mar 27 17:32:34 BindGuard: Country code for this host: (US) United States
Mar 27 17:32:44 BindGuard: WARNING: Host 208.64.27.138 (8011dc460) is now blocked (139 queries in 10 secs) +log
Mar 27 17:32:44 BindGuard:                     Location of blocked host: (US) United States
Mar 27 17:32:44 BindGuard:                     DNS Reverse Entry: v29.sioru.com
Mar 27 17:32:56 BindGuard: Removing expired entry (8011dc340) for Host 66.220.144.147
Mar 27 17:32:56 BindGuard: Removing expired entry (8011dc700) for Host 66.220.144.146
Mar 27 17:32:56 BindGuard: Stats (PID 34874): 757 entries, 516709 updates, 880000 ignored, 746 blocked, 1471078 events parsed.
Mar 27 17:32:56 BindGuard: Used Memory: 0.24 MByte (Index: 131072 Bytes, Free: 15628 / Entries: 124953 Bytes)
Mar 27 17:32:56 BindGuard: - Entry #40185 (8011dc460): IP 208.64.27.138 (hash: 137) after 139 times at 1364401964
Mar 27 17:32:56 BindGuard: 1 entries found.
Mar 27 17:32:56 BindGuard: Version 0.69, Uptime: 10 weeks, 6 days, 9 hours, 4 minutes, 38 seconds

Features planned - In the next release "Bind Guard" contains a signal handler thats allow to switch every time the logging on/off when the process is running (done; since 0.59).
- New hash function without collisions for the hash buckets.
- "TakeOver" Function. This feature allows an non-interrupted Update to a new version. All data will be moved to the new process (done; since 0.59).
- Configurable Dynamic Hash Table since 0.63-beta (stable since 0.66)
- Non-Blocked File I/O (since 0.63-beta)
- Control Interface via Shared Memory (since 0.63-beta); bgctl.c published.
- Some external commands implemented: SHOW DB, SHOW BLOCKED, DUMP DB ...
- GeoIP support added (since 0.68)
- Bindguard is now ready to run in a alternate user context (swith -u)
- "Quiet Mode" for high throughput production environments (switch -q) added in version 0.71
- BIND log rotate now handled by bindguard 0.71 (Build 2013040200). Thanks to Alain Hebert.
- Option '-p' was added to set an alternate PID file.

Known bugs - The hash function has no checks for "possible" collisions on heavy loaded servers.
- GeoIP support for IPv6 source addresses not finaly implemented / handled.

Where can I download the source code?
The source code is available for download (see download section below).

Configuration / Examples
Syslog example (version 0.58) of two logging Bind Guard processes:
Aug 15 08:52:41 srv1 BindGuard: Host 81.xx.22x.xx (#66) with query 'www.jinx.com', type 'IN A +' added.
Aug 15 08:52:41 srv1 BindGuard: Host 81.xx.22x.xx (#67) with query 'www.riotgames.com', type 'IN A +' added.
Aug 15 08:52:48 srv1 BindGuard: Host 81.xx.22x.xx (#68) with query 'static.chartbeat.com', type 'IN A +' added. 
Aug 15 08:52:48 srv1 BindGuard: Host 81.xx.22x.xx (#69) with query 'ping.chartbeat.net', type 'IN A +' added.
Aug 15 08:53:01 srv2 BindGuard: Stats (PID 41441): 2 entries, 30 updates, 19758 ignored, 0 blocked, 20050 events parsed.  
Aug 15 08:53:01 srv2 BindGuard: Memory in use:   8.00 MB (Index: 8388608 Bytes / Entries: 181 Bytes), Runtime: 49024 secs 
Aug 15 08:53:01 srv2 BindGuard: Removing expired entry (#3) for Host 95.108.158.240                                       
Aug 15 08:53:07 srv1 BindGuard: Stats (PID 36843): 69 entries, 601 updates, 1185 ignored, 0 blocked, 2751 events parsed. 
Aug 15 08:53:07 srv1 BindGuard: Memory in use:   8.01 MB (Index: 8388608 Bytes / Entries: 11957 Bytes), Runtime: 35820 secs
Important:
- Please use the latest version of BIND (e.g. 9.9.x)
- Bind Guard works as parser for the BIND logfile. Please check if your log file has the following format like this:
  27-Mar-2013 18:20:08.926 client a.b.c.d#48245 (domain.tld): query: some.domain.tld IN AAAA + (a.b.c.d)

Example for "named.conf"
Additional we need an "blackhole"-Part and a "include"-Statement thats import the "bogon.conf" file.
options { 
        directory "/etc/namedb/";
        allow-query { ...; };

        allow-recursion { 
                "your local network";
        };

        notify yes;
        allow-transfer {
                "only special hosts";
        }; 

        blackhole {
                "bogon";
        };
};

logging {

        channel logfilequeries {
                file "log/queries";
                severity debug 1;
                print-time yes;
        };
};

include "conf/bogon.conf";
Example for the "bogon.conf".
This file will permanently updated by Bind Guard when ever a host must be blocked.
acl "bogon" {
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
};
How to use a Firewall script? The second option to block bad hosts can you find here: FreeBSD IPFW Example Script

How to start "Bind Guard" on Reboot?
This is my command line to start the software. The option '-s' is for logging to syslog. The second option '-d' detach the mother process from the calling shell/init. With the third option '-l' we define where "Bind Guard" finds the query.log of the named process. With the option '-b' the same procedure for the bogon.conf. With option '-i' you can define 0..n strings with local networks. It's internaly a simple string "compare" and all lines will be ignored by "Bind Guard".
/usr/sbin/bindguard -s -d -l /etc/namedb/log/queries -b /etc/namedb/conf/bogon.conf -i a.b.c.d -i d.c.b.ai [..]

[FreeBSD]
$ grep guard /etc/rc.conf
bindguard_enable="YES"

$ cat /etc/rc.d/bindguard 
/usr/sbin/bindguard -s -d -l /etc/namedb/log/queries -b /etc/namedb/conf/bogon.conf -i <your_net>

Download Here can you download the latest stable version 0.69 (Build 2013030501) of the software.
Please select your favorite operating system. Currently are the following builds available ...

Current development version (Source): 0.73 (Build 2013043000) - See also Change log


Binary for FreeBSD 8.x and higher ( 64-bit )
Download  bindguard-0.69-FreeBSD-amd64.bin
MD5-Checksum: 89ba5c152bbfe41668da66ae37d28c1f

ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), dynamically linked (uses shared libs), for FreeBSD 8.3, not stripped


Binary for FreeBSD 7.4, 8.2 and higher ( 32-bit )
Download bindguard-0.66-FreeBSD-i386.bin
MD5-Checksum: 54021ba6b70e0d9bb214ab22664a1ba8

ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), dynamically linked (uses shared libs), for FreeBSD 7.4, not stripped


Binary for Fedora / Debian / CentOS and other Linux OS ( 64-bit )
Download bindguard-0.69-Linux-x86_64.bin
MD5-Checksum: 48310bc9c723ea5a1e36117c05b44248

ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, not stripped

Download bindguard-0.69-Linux-x86_64-CentOS-2.6.32.bin
MD5-Checksum: 2d47d7d1518bcf7d04fb2e4242e9eba6

ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped



All other versions can you find at http://bindguard.activezone.de/binaries/
© Copyright 2012, 2013 by Markus Grundmann, Germany.
All rights reserved.


This website was last modified at
May 03 2013 00:00