I had a situation where I had TA916e that was once being delivered 3 T1s as the WAN. The TA916e was originally feeding both a PBX with 8 FXS ports and feeding a NV3448 for the data side of my customer's network. The carrier switched to an Ethernet Handoff on site (Adtran 818), so I reconfigured the TA916e with public's assigned to both Eth0/1 and Eth0/2. The client changed to a HPBX VoIP setup so we no longer needed connectivity to the PBX via the 8 FXS ports. Essentially, the TA916e was a straight pass through allowing me to route the Customer Public IPs to the NV3448 which providing NAT/Firewalling for the customer's voice and data networks.
Our plans were to eventually collapse the network and get rid of the TA916e, but that had not happened, yet. A few weeks ago, the customer started complaining of drops and voice quality issues. We started reviewing our monitoring and confirmed the issue. It got pretty bad where we were seeing double digit packet loss at peak times during the day. Every time we called the carrier they would say the packet loss was due to congestion on the underlying 3 bonded t1s driving the Carrier's Adtran 818.
We started testing after hours and still noticed the packet loss after 5:30pm when no one was at the client location. Monitoring showed that even at these off hour times that ~1 Mbps was still being used consistently on the circuit. We had the carrier do intrusive testing on the T1s last night and all three were clean. We did some other testing today and basically ruled out the carrier's network. Tonight after hours, I disabled the internal port on the TA916e so that nothing coming from the NV3448 would even be flowing out. Our monitoring still showed ~1-1.5Mbps being utilized on the TA916 Internet facing connection. This time, reviewing our Netflow monitoring on the TA916e showed a ton of traffic inbound to the public IP of the TA916e with DST Port 53 UDP. Cleaned up the config and made sure all old sip programming was out. Also disabled Allow DNS Proxy on the box which gets to the root of my question/post. Sorry for the long back story.
I had assumed (possibly naively) that the netvanta/total access routers (AOS for that matter) were not responding externally to DNS requests if DNS Proxy was enabled. Take a standard branch office situation where the adtran netvanta router is the edge device providing firewalling/nat/dhcp/dns to the client LAN. The router has a static Public IP on the WAN interface. I enable Allow DNS Proxy and typically also Allow DNS Lookup on the box. I typically use OpenDNS or Google DNS IPs that the box queries for DNS.
Do I need to do anything else to properly protect the router from being externally queried for DNS? I'm typically only allowing 443 and ICMP on the WAN interface except for known public ips like for management purposes.
I often protect SSH by adding "ip access-group BLOCK in" statement to the WAN interface. Do I need to do something like this to block DNS queries of the WAN interface of the router except for OpenDNS or Google DNS IPs? Does the router protected itself already from this kind of scenario?
I believe this is kind of like a refection attack, but not sure. Suggestions or can someone set me straight here?
Thanks
-CW
