F5 GTM DNS - high number of requests
We're facing for quite a while, some sort of a DDoS tries (I can't consider it as an actual attack), against our F5 Public DNS.
Initially we were seeing ~700K - 1Mil connections (IP connections) and after some analisys we decided to lower port UDP 53 timeout from default 40sec to 10sec (on our firewall that is in front of the F5). That change had an positive impact on peak conenctions (when DDoS was seen) by lowering them to under 50% - appros 300-400K connections nowadays.
At this point, we started to collect data and we've seen that there is a pattern on this DDoS (at least once a day, and close to the same time - almost) and also we got the IP's that are performing those querryes (top 10 IP's based on conenctions performed in that moment).
The missing piece was the actuall querry that was performed during the HIGH connections moments, and for that we enabled F5 DNS logging, but having too much traffic, we could only see 10 - 15 sec in F5 logs 😔 .
Still, the good part was that we were right on the spot in couple of occasions and we were able to get a snap of the querryes:
Now yesterday, we manage to get the F5 DNS logging to be forwarded to an GrayLog, and over the night, we were able to capture a peak of ~1Mil logs (so I would say like 500K querryes - considering that you have 2 log lines per querry) and while exporting the logs for the 5 min this event happened, we were able to get a list of the TOP 20 querryes - that are legitimate DNS querryes, nothing abnormal.
So after all this monolog, my question to you is, does anyone faced similar HIGH DNS querry and what did you do to prevent it ?
While looking for ways to prevent it, we've seen article K11005751 that might be for us, and with an iRule we can DROP requests for FQDNS that don't exists in our environment.
Would that add an extra load on resources, considering that the iRule will be executed each time a DNS Querry arrives to our F5?