Guide to DNS Open Recursion Amplification Issues

Related informationhttp://iweb.com/legal

Description:

The DNS (Domain Name System) is used to translates domain names like "example.com" to the related numerical IP addresses. DNS open recursion is a feature activated by default on several DNS softwares.

DNS open recursion service can be used to conduct malicious attacks on a network. This can occur when the default setting for DNS services is not adjusted upon installation. When used maliciously, the service can send Distributed Denial of Service (DDoS) attacks by a third party with malicious intentions. This can be prevented by adjusting your DNS settings.

How to verify if your server/device is vulnerable

You can test your IP addresses using the following methods (xx.xx.xx.xx is your server IP):

1 - Using dig:
# dig +nocmd +nocomment +nostats ANY iweb.com @xx.xx.xx.xx

Example of output for vulnerable servers:
;iweb.com.            IN    ANY
iweb.com.        13409    IN    A    xx.xx.xx.xx
iweb.com.        85409    IN    NS    nsy.iweb.com.
iweb.com.        85409    IN    NS    nsz.iweb.com.
iweb.com.        85409    IN    NS    sub.domain.tld.
iweb.com.        85409    IN    NS    sub.domain.tld.
iweb.com.        85409    IN    NS    sub.domain.tld.
iweb.com.        85409    IN    NS    sub.domain.tld.
[...]

Other example of output (usually for Windows servers) when the recursion has been disabled but the DNS still returns the list of root DNS servers. This setup can still be used to perform amplification attacks:

;iweb.com.            IN    ANY
.            3600    IN    NS    l.root-servers.net.
.            3600    IN    NS    j.root-servers.net.
.            3600    IN    NS    g.root-servers.net.
.            3600    IN    NS    i.root-servers.net.
.            3600    IN    NS    f.root-servers.net.
.            3600    IN    NS    k.root-servers.net.
[...]

Example of output for not vulnerable servers:
;iweb.com.            IN    ANY


2 - Using Nmap:
# sudo nmap -Pn --script=dns-recursion -sU -p53 xx.xx.xx.xx

Example of output for vulnerable servers:
PORT   STATE SERVICE
53/udp open  domain
 |_dns-recursion: Recursion appears to be enabled

Example of output for not vulnerable servers:

 - DNS is active but got recursion not available
PORT   STATE SERVICE
53/udp open  domain
Nmap done: 1 IP address (1 host up)

 - DNS service is closed
PORT   STATE  SERVICE
53/udp closed domain

 - DNS service is fultered
PORT   STATE         SERVICE
53/udp open|filtered domain


The IP might also be listed on the following website, but it is not a real-time check:
http://openresolverproject.org/

Resolution:

Depending on your needs, you can either disable or restrict the open recursion. Choose the best option for your server and your operating system (Windows or Linux) and follow the instructions below:

OPTION A - If the DNS recursion can be disabled:

*) For Microsoft Windows DNS:

  • Disable recursion on the DNS server: http://technet.microsoft.com/en-us/library/cc787602%28v=ws.10%29.aspx
  • Rename the 'root hints cache file' to prevent reference to the root zones being used for DNS amplification attacks: Open the folder %systemroot%\system32\dns and rename cache.dns to cache.dns.orig
  • Once these modifications are complete, you must restart the DNS service.

*) For Windows server using Plesk DNS:

  • Log in to your Plesk Panel as admin.
  • On the left menu, select "Server Management > Tools & Settings" section (previously called "Server").
  • In the main panel, select "DNS Template Settings" (previously called "DNS Settings".
  • Select the DNS Recursion Tab.
  • Select the Deny option and click the Set button to complete the operation.s:

*) For Linux servers using Bind:

  • Edit the file /etc/named.conf and change the below variables in the "options{" section to secure your DNS service:

    version "unknown";
    allow-transfer {none;};
    allow-recursion {none;};
    allow-query-cache {none;}; // for BIND 9.4+
    recursion no;
    additional-from-cache no;

  • Once these modifications are complete, you must  restart the DNS service.


OPTION B - f you must use DNS recursion to provide service to your customers, iWeb requires that you restrict the usage scope to localhost, localnets, and/or your customers IP ranges.

*) For Microsoft Windows servers:

  • Windows servers running DNS open recursion can use Windows firewall to limit access to DNS service and prevent from being exploited.

        DNS TCP/UDP incoming firewall settings/rules:
        *Local IP*: any
        *Remote IP - /These IPs:/*  Add all of your trusted IPs  (other
        servers of your network).

  • If the server has a Windows Active Directory domain, you will have to add the source IPs that use this service.

*) For Windows server using Plesk DNS: (allowing localhost and localnets)

  • Connect to your dedicated server.
  • From the Start menu, click Run, and enter the following command:
         notepad "%plesk_dir%dns\etc\named.user.conf"
  • Modify the file to set allow-recursion to "localnets" instead of "any".
  • Save and close the file. The options settings will looks like:
         options { allow-transfer {  localhost; localnets; }; allow-recursion { localhost; localnets; }; listen-on-v6 { none; }; version none; additional-from-cache no; };
  • Restart "named" service. From the Start menu, as administrator, click Run and run "cmd", then type the following command in the command prompt:
         net stop named && net start named

*) For Linux servers using Bind: (allowing localhost, localnets and specific IPs)

  • Edit the file /etc/named.conf and change the below variables in the acl "trusted" and the "options{" sections:

    recursion yes;
    acl "trusted"{
    192.168.0.0/16; // change IPs as required
    64.15.128.0/19; // change IPs as required
    localhost;
    localnets;
    };

    options{
    ...
    allow-query { trusted; }; // trusted could be replaced by any only if necessary
    allow-transfer { trusted; };
    allow-recursion { trusted;} ;
    allow-query-cache { trusted; }; // for BIND 9.4+
    additional-from-cache no;
    ...
    };

References:

  1. http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2013/tr13-002-eng.aspx

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk