[GH-ISSUE #250] Disable DNS server after API inactivity #124

New issue

Open

opened 2026-03-13 15:51:28 +03:00 by kerem · 1 comment

kerem commented

2026-03-13 15:51:28 +03:00

Owner

Originally created by @nescafe2002 on GitHub (Dec 7, 2020).
Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/250

Since my IP got hammered a lot with invalid DNS requests:

Standard query ANY <Root> OPT
Standard query ANY <Root> OPT
(...)
Standard query ANY <Root> OPT

As ACME DNS is relevant during certificate only, I have configured my router to enable forwarding only on renewals:

(MikroTik rsc)

# Port forward api endpoint (443)
/ip firewall nat
add action=dst-nat chain=nat-public dst-port=443 protocol=tcp to-addresses=192.168.1.50

# Add dst-address (router ip) to address list when api endpoint is addressed (tls host auth.mydomain.tld)
/ip firewall mangle
add action=add-dst-to-address-list address-list=acme-dns address-list-timeout=15m chain=prerouting \
    dst-address-type=local dst-port=443 protocol=tcp tls-host=auth.mydomain.tld

# Port forward dns (53) only if api endpoint has been addressed in the previous 15 minutes
/ip firewall nat
add action=dst-nat chain=dst-nat dst-address-list=acme-dns dst-port=53 protocol=udp to-addresses=192.168.1.50

This works perfectly and the amount of bogus DNS requests to my ip has dropped significantly.

However, this poses a slight problem; if the requesting server has ipv6 access only and LE is using the ipv4 endpoint to verify DNS; i cannot address ipv4 address lists from the ipv6 firewall. Therefore I'd like to drop this here as a feature request:

Is there a way to enable the built in dns server only for a specified time after the /update endpoint has been addressed?

Originally created by @nescafe2002 on GitHub (Dec 7, 2020). Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/250 Since my IP got hammered a lot with invalid DNS requests: ``` Standard query ANY <Root> OPT Standard query ANY <Root> OPT (...) Standard query ANY <Root> OPT ``` As ACME DNS is relevant during certificate only, I have configured my router to enable forwarding only on renewals: (MikroTik rsc) ``` # Port forward api endpoint (443) /ip firewall nat add action=dst-nat chain=nat-public dst-port=443 protocol=tcp to-addresses=192.168.1.50 # Add dst-address (router ip) to address list when api endpoint is addressed (tls host auth.mydomain.tld) /ip firewall mangle add action=add-dst-to-address-list address-list=acme-dns address-list-timeout=15m chain=prerouting \ dst-address-type=local dst-port=443 protocol=tcp tls-host=auth.mydomain.tld # Port forward dns (53) only if api endpoint has been addressed in the previous 15 minutes /ip firewall nat add action=dst-nat chain=dst-nat dst-address-list=acme-dns dst-port=53 protocol=udp to-addresses=192.168.1.50 ``` This works perfectly and the amount of bogus DNS requests to my ip has dropped significantly. However, this poses a slight problem; if the requesting server has ipv6 access only and LE is using the ipv4 endpoint to verify DNS; i cannot address ipv4 address lists from the ipv6 firewall. Therefore I'd like to drop this here as a feature request: **Is there a way to enable the built in dns server only for a specified time after the /update endpoint has been addressed?**

kerem commented

2026-03-13 15:51:33 +03:00

Author

Owner

@nescafe2002 commented on GitHub (Dec 15, 2020):

Well, problem is that this (tls host based) port knocking solution blocks acme-dns functionality if the api is exposed through the NS delegated domain as in the default setup.

E.g. api endpoint https://auth.example.org
ACME-dns entry {GUID}.auth.example.org

File config.cfg:

records = [
    # domain pointing to the public IP of your acme-dns server
    "auth.example.org. A 192.0.2.1",
    # specify that auth.example.org will resolve any *.auth.example.org records
    "auth.example.org. NS auth.example.org.",
]

I have removed the configuration from my router and replaced it with a simple "no answer = no response" rule:

github.com/nescafe2002/acme-dns@bfd0389aa7

Is there any info on how acme-dns contributes to DNS (amplification) attacks based on bogus (spoofed) requests?

@nescafe2002 commented on GitHub (Dec 15, 2020): Well, problem is that this (tls host based) port knocking solution blocks acme-dns functionality if the api is exposed through the NS delegated domain as in the default setup. E.g. api endpoint https://auth.example.org ACME-dns entry {GUID}.auth.example.org File config.cfg: ``` records = [ # domain pointing to the public IP of your acme-dns server "auth.example.org. A 192.0.2.1", # specify that auth.example.org will resolve any *.auth.example.org records "auth.example.org. NS auth.example.org.", ] ``` I have removed the configuration from my router and replaced it with a simple "no answer = no response" rule: https://github.com/nescafe2002/acme-dns/commit/bfd0389aa7db7fa2702940f2d7cfc9590fac5f5e **Is there any info on how acme-dns contributes to DNS (amplification) attacks based on bogus (spoofed) requests?**