Recently I found out: DNS is a big bandwidth waster on my internet connection. Strange, isn’t it? DNS? So I started a network trace on my firewall: someone is abusing one of my DNS servers. I guess it’s a kind of malware using my DNS server, but I am not really sure. The domain was X99MOYU.NET belonging to a Chinese company called ZhuHai NaiSiNiKe.. Content of the website is not available (403, Access Denied).
My first idea was to reply with 127.0.0.1 as a DNS response. So I created a zone for this domain and added records. However they kept sending billions of queries.
Next step was: hiding my DNS server behind a Citrix NetScaler. Now all queries have to traverse my NetScaler. Easy like that: I created a DNS load balancing virtual server and my external IPs point there. Next step: Bind a responder policy to it.
I created a responder policy dropping all queries to domains not hosted in my environment. I did this using a NetScaler pattern-set (as pattern-sets are more efficient and easier to read than endless complex expressions combined with or like:
!DNS.REQ.QUESTION.DOMAIN.CONTAINS(“norz.at”) || !DNS.REQ.QUESTION.DOMAIN.CONTAINS(“norz.cc”) || …)
command line:
add policy patset MyDomains bind policy patset MyDomains norz.co -index 1 bind policy patset MyDomains norz.at -index 2 add responder policy res_pol_dns_invalid_request "!DNS.REQ.QUESTION.DOMAIN.CONTAINS_ANY(\"MyDomains\")" DROP
My pattern set is called MyDomains. So this policy will get applied (and drop the request) if the DNS query is for a server not contained in MyDomains.
MyDomains contains all domains I host like norz.at, norz.cc, …
Next problem: I opened up my load balancing vServer and wanted to bind a responder policy. Strange, no chance to bind a responder policy!
command line:
I had to go back to my policy, start the policy manager and bind it. Of course I could have bound it using command line as well 🙂
bind lb vserver lb_vSvc_DNS -policyName res_pol_dns_invalid_request -priority 100 -gotoPriorityExpression END -type REQUEST
I hope you like it and would be glad to hear some commands about the subject …
“I did this using a NetScaler string-map (as string-maps are more efficient ”
Referring to the above, worth highlighting a pattern set rather than a string-map was used in the example given though the outcome would be similar.
So sorry, ChrisO, you’re absolutely right, I mixed them up while writing. It’s a pattern set, not a string map. String maps would definitely not be the best solution in this case
amzing post. very useful too. now citrix is providing security also. thank you sir.
Security was always a main focus with NetScaler. You may use responder (or filter) policies to filter potentially harmful requests. You may use rewriting policies to render potentially harmful requests to harmless. And there are application firewall, L7 DOS protection, L3 DOS protection and many more features. Did you know about NetScaler being a PCI-DSS (payment card industry – data secure standard) compliant application firewall?
Hello,
which NetScaler Version are u using for that?
At that time I was using a 11.0, but I think this has to work with any 10.x Version as well.
Best regards
Johannes