It's become apparent that about 90% of the incoming external DNS requests are being blocked at the firewall.
Config:
Our public NS1 is a Windows 2012R2 server, running in a DMZ. There is a simple DNAT rule (Any -> DNS -> External IP ==> Change dest to NS1 server). There's also a Full NAT rule for internal requests, and an SNAT rule for zone transfers to NS3, as it's offsite.
There's a duplicate set of rules for our public NS2, which is a Linux box on a separate DMZ, and uses a different External IP. I see no difference in the rule sets or Name Server registrations (at the registrar) at all. There's a completely separate Internal DNS infrastructure, which doesn't seem to be implicated at all.
This has all worked properly for many years.
I now notice that about 90% of incoming DNS requests to NS1 are logged as Default Drop. The other 10% get forwarded by the DNAT rule to the server as usual. All requests to NS2 get rewritten and forwarded as expected.
Now I expect this is a good thing, and the firewall is protecting us. But I can't see where or why. They are shown in the Network Protection Overview as dropped packets, but not in Intrusion Prevention.There are 89 DNS amplification Attempts shown, but we're seeing about two blocked DNS queries a second.
We recently added a few countries to the Country Blocking, but packets like that show "Country Blocked", not "Default Drop" in the log.
How can I find out why all these packets are being dropped? Is it possible that one DNS Amplification Attempt corresponds to hundreds of incoming DNS request packets?
This thread was automatically locked due to age.
