DNS attacks from external IP with port 80, how could that happened?

Solution 1:

You're looking at the client query logs, and normally a client will choose from one of the ephemeral ports to have your DNS server respond back to. Yes your server is listening on port 53, but your clients will most likely receive responses from your DNS server over ports 49152 to 65535. The fact that the source of your query traffic is choosing to use port 80 as the return trip port is... odd, but virtually irrelevant. I'm sure it's some method of circumventing network security on the client's side. Or the developers of whatever software is attempting to abuse your DNS server were just not particularly concerned with using ephemeral ports. Who knows.

As for your firewall, you need to run either firewalld-cmd --reload or firewalld-cmd --complete-reload afterwards to make sure that the rule is processed.


This IP can obtain local port 80 every time get in.

To be clear, port 80 in your logs is not referring to your DNS server at all. That is purely referring to the return trip that packets will take to get back to the client. When you see this:

That means DNS responses will be returned to, just like when you see this in the first line of your logs:

Any DNS query that your DNS server satisfied was returned to

To reiterate: No traffic is coming to your server over port 80, just like no traffic is coming to your server over port 36045. Those return trip ports are completely, utterly, and absolutely irrelevant to you.

This is, at its heart, a firewall misconfiguration. Either through firewalld zones, interfaces, rule ordering, or reloading issues.

Solution 2:

The traffic is returning to the external IP's port 80. Usually, the provided “source IP address” is spoofed, and somebody's trying to use your DNS server as part of a DDOS attack – specifically, a reflector attack.

You should set up something like fail2ban to prevent your server from being used in such an attack. Or, to mitigate it, just configure your firewall to reject client ports below 1024.