This is not a complete solution to block distributed DDOS DNS attack. If the attack is not that much high, you can use this method.
When there is a dns based attack you may face the following difficulties.
1. Heavy traffic to named/bind causing load on named.
2. Your websites will take time to resolve or sometimes it wont respond to queries.
Steps to trace the attack.
Login to server via ssh and use the tcpdump utility to pull the details.
tcpdump -nn net x.x.x and port 53
Run the above command as root and you will be able to see the DNS traffic by IP.
Replace x.x.x with the ip address with your main server ip. If you are having the same series of ip, it would be better to use like x.x.x
If you can see a lot of requests being made within a very short period of time that means your server is under attack.
If you wish to see a detailed output including the packet size and length, please use the following command.
tcpdump -nn -vv net x.x.x and port 53
Now you can block the ip’s that’s responsible for the attack. If there are lots of ips involved, the best method is to block the requests made to server using “packet size used” or the “length”. You may use the following iptable rule to block using length .
iptables -A INPUT -p udp -m length --length 56 -j DROP
Save the iptables rule.
service iptables save
In the above example, Im using the length as 56.