Tag Archives: secure named

Open resolvers !!

Open resolver ??

Before getting to know what is an open resolver, you need to know what
is recursion, ie recursive queries !

Suppose you have a DNS server configured and a local machine which uses
your DNS server queries for a website. Imagine this query is a new one 
and its not in the local cache of the machine which made the request.
Once this request reaches your DNS server, it will attempt to find the
website in question in its local cache. If it cannot find an answer it
will query other DNS servers on your behalf until it finds the address.
It will then respond to the original request with the results from each
server’s query.

This scenario is fine, because the local machine which made the initial
request is trusted by you.

What if another machine which isn’t trusted by you, queries your DNS server
for the same ? Then your DNS is an Open resolver.

An open DNS resolver is a name server that provides a recursive name resolution
for non local clients or users. Basically it’s a name server that provides recursive
replies for every system on the internet. Local users or “authorized” clients are
users on networks that you control and/or that you trust. Recursive replies are
the result of following the chain of delegations found in DNS, ending up at the
domain name that was requested by the original user.

Open DNS resolvers are frequently being abused to conduct efficient DDoS attacks towards
websites, infrastructure and services. In a DNS amplification DDoS attack, the attacker
sends a DNS name lookup request to an open DNS resolver with the source address
spoofed to be the victim’s address.

When the DNS server sends the DNS record response, it is sent
to the victim (the source address that was used in the spoofed request). Because the size
of the response is typically considerably larger than the request, the attacker is able to
amplify the volume of traffic directed at the victim. Dont think it would affect just the
victim. Essentially this means that your equipment is taking part in a botnet leveraging
a DDoS attack towards other systems, potentially causing disruption of services and harm.

If your systems take part in such a DDoS attack then your own network, server and services
infrastructure too can easily become congested.

To get around this issue, configure your DNS server to either disable recursion or
allow recursion from trusted set of IPs.

recursion can be disabled by adding the following line to your /etc/named.conf file :

options {

recursion no;

};

You can allow recursion from a trusted set of IPs by giving the following

options {

allow-recursion { 127.0.0.1; IP1; IP2; }; //include your server IPs and
your provider’s nameserver IPs and whichever IPs you feel can be trusted
.
};

Suppose you have a DNS server and you have configured your named as

allow-recursion { IP1;IP2; } ;

Try the following from the machine with IP1,

#nslookup google.com x.x.x.x ( x.x.x.x is the DNS server IP )

The result would be :

———–

(root) nameserver = J.ROOT-SERVERS.NET
(root) nameserver = K.ROOT-SERVERS.NET
(root) nameserver = L.ROOT-SERVERS.NET
(root) nameserver = M.ROOT-SERVERS.NET
(root) nameserver = A.ROOT-SERVERS.NET
(root) nameserver = B.ROOT-SERVERS.NET
(root) nameserver = C.ROOT-SERVERS.NET
(root) nameserver = D.ROOT-SERVERS.NET
(root) nameserver = E.ROOT-SERVERS.NET
(root) nameserver = F.ROOT-SERVERS.NET
(root) nameserver = G.ROOT-SERVERS.NET
(root) nameserver = H.ROOT-SERVERS.NET
(root) nameserver = I.ROOT-SERVERS.NET

…..

———–

Suppose you made the same query from an IP which is not
defined in allow-recursion, then you get the following

———-

Server: x.x.x.x
Address: x.x.x.x#53

** server can’t find google.com: REFUSED

———-

So, consider about tweaking your DNS server, if its an Open resolver !