Related information: http://iweb.com/legal
Description:
The DNS (Domain Name System) is used to translates domain names like "example.com" to the related numerical IP addresses. DNS open recursion is a feature activated by default on several DNS softwares.
DNS open recursion service can be used to conduct malicious attacks on a network. This can occur when the default setting for DNS services is not adjusted upon installation. When used maliciously, the service can send Distributed Denial of Service (DDoS) attacks by a third party with malicious intentions. This can be prevented by adjusting your DNS settings.
How to verify if your server/device is vulnerable
You can test your IP addresses using the following methods (xx.xx.xx.xx is your server IP):
1 - Using dig:
# dig +nocmd +nocomment +nostats +noedns ANY iweb.com @xx.xx.xx.xx
Example of output for vulnerable servers:
;iweb.com. IN ANY
iweb.com. 13409 IN A xx.xx.xx.xx
iweb.com. 85409 IN NS nsy.iweb.com.
iweb.com. 85409 IN NS nsz.iweb.com.
iweb.com. 85409 IN NS sub.domain.tld.
iweb.com. 85409 IN NS sub.domain.tld.
iweb.com. 85409 IN NS sub.domain.tld.
iweb.com. 85409 IN NS sub.domain.tld.
[...]
Other example of output (usually for Windows servers) when the recursion has been disabled but the DNS still returns the list of root DNS servers. This setup can still be used to perform amplification attacks:
;iweb.com. IN ANY
. 3600 IN NS l.root-servers.net.
. 3600 IN NS j.root-servers.net.
. 3600 IN NS g.root-servers.net.
. 3600 IN NS i.root-servers.net.
. 3600 IN NS f.root-servers.net.
. 3600 IN NS k.root-servers.net.
[...]
Example of output for not vulnerable servers:
;iweb.com. IN ANY
2 - Using Nmap:
# sudo nmap -Pn --script=dns-recursion -sU -p53 xx.xx.xx.xx
Example of output for vulnerable servers:
PORT STATE SERVICE
53/udp open domain
|_dns-recursion: Recursion appears to be enabled
Example of output for not vulnerable servers:
- DNS is active but got recursion not available
PORT STATE SERVICE
53/udp open domain
Nmap done: 1 IP address (1 host up)
- DNS service is closed
PORT STATE SERVICE
53/udp closed domain
- DNS service is filtered
PORT STATE SERVICE
53/udp open|filtered domain
Resolution:
Depending on your needs, you can either disable or restrict the open recursion. Choose the best option for your server and your operating system (Windows or Linux) and follow the instructions below:
OPTION A - If the DNS recursion can be disabled:
*) For Microsoft Windows DNS:
- Disable recursion on the DNS server: http://technet.microsoft.com/en-us/library/cc787602%28v=ws.10%29.aspx
- Rename the 'root hints cache file' to prevent reference to the root zones being used for DNS amplification attacks: Open the folder %systemroot%\system32\dns and rename cache.dns to cache.dns.orig
- Once these modifications are complete, you must restart the DNS service.
*) For Windows server using Plesk DNS:
- Log in to your Plesk Panel as admin.
- Verify which DNS server is used (under Server Management > Tools & Settings > Server components )
- If the Microsoft DNS server is used, the Deny option cannot be selected. In such case, refer to the "Microsoft Windows DNS" section above.
- If you are using Plesk DNS server (BIND), go to "Server Management > Tools & Settings" and in the main panel, select "DNS Template Settings" (previously called "DNS Settings").
- Select the DNS Recursion Tab.
- Select the Deny option and click the Set button to complete the operations.
*) For Linux servers using Bind:
- Edit the file /etc/named.conf and change the below variables in the "options{" section to secure your DNS service:
version "unknown";
allow-transfer {none;};
allow-recursion {none;};
allow-query-cache {none;}; // for BIND 9.4+
recursion no;
additional-from-cache no;
- Once these modifications are complete, you must restart the DNS service.
OPTION B - If you must use DNS recursion to provide service to your customers, iWeb requires that you restrict the usage scope to localhost, localnets, and/or your customers IP ranges.
*) For Microsoft Windows servers:
- Windows servers running DNS open recursion can use Windows firewall to limit access to DNS service and prevent from being exploited.
DNS TCP/UDP incoming firewall settings/rules:
*Local IP*: any
*Remote IP - /These IPs:/* Add all of your trusted IPs (other
servers of your network).
- If the server has a Windows Active Directory domain, you will have to add the source IPs that use this service.
*) For Windows server using Plesk DNS: (allowing localhost and localnets)
- Connect to your dedicated server.
- From the Start menu, click Run, and enter the following command:
notepad "%plesk_dir%dns\etc\named.user.conf" - Modify the file to set allow-recursion to "localnets" instead of "any".
- Save and close the file. The options settings will looks like:
options { allow-transfer { localhost; localnets; }; allow-recursion { localhost; localnets; }; listen-on-v6 { none; }; version none; additional-from-cache no; }; - Restart "named" service. From the Start menu, as administrator, click Run and run "cmd", then type the following command in the command prompt:
net stop named && net start named
*) For Linux servers using Bind: (allowing localhost, localnets and specific IPs)
- Edit the file /etc/named.conf and change the below variables in the acl "trusted" and the "options{" sections:
recursion yes;
acl "trusted"{
192.168.0.0/16; // change IPs as required
64.15.128.0/19; // change IPs as required
localhost;
localnets;
};
options{
...
allow-query { trusted; }; // trusted could be replaced by any only if necessary
allow-transfer { trusted; };
allow-recursion { trusted;} ;
allow-query-cache { trusted; }; // for BIND 9.4+
additional-from-cache no;
...
};
References:
0 Comments