The Internet is a dangerous place. Exploits are constantly being identified (keeping your services updated?), one of which stimulated the world to close its nameservers. The security concern I'm referring to has been around for quite some time, yet it continues to be a problem. We get a ticket maybe once a week or so regarding open dns servers, so I figured I'd break it down for everyone.
What's an open DNS server? Glad you asked. It's simple, really. Most nameservers host the DNS records for a few domains. These nameservers are authoritative for those domains, and should respond to DNS lookups for those domains. However, if a nameserver receives a request for some other domain (one for which the nameserver is not authoritative), then it will forward the request on to the authoritative nameserver, and pass along the answer when the response comes back. This behaviour is referred to as a recursive lookup, and this is what we're trying to prevent. Servers that will perform recursive queries for anyone who asks are open DNS servers.
The attack:
Why are open DNS servers bad? Open DNS servers are the primary ingredient in a DDoS (Distributed Denial of Service) attack referred to as DNS Amplification The attack, like most DDoS attacks, is a complicated mess of servers all working together toward the ultimate demise of an unfortunate third party. Basically, the attacker(s) craft a DNS request and send this off to any number of open DNS servers. The meat of the attack is in how this request is made. In fact, the request itself is so important that it merits its own paragraph.
One thing to understand about DNS responses is that they actually contain the original request. This means that if the attacker spoofs his own IP and puts a bunch of garbage in the request, he can ultimately get the open DNS servers to send an arbitrary amount of junk to any given server. That's basically how the attack works. The request is modified so it looks like it came from an arbitrary server (the target). Also, a bunch of useless junk is added to the request, just to make it large. The request is then sent to open DNS servers, which proceed to answer the request and respond to the target, because it looks like the target made the request. At that point all the open DNS servers start bombing the target with these large responses that end up getting fragmented, and the attack manifests itself as a full-blown DDoS.
The defense:
The interesting thing about this vulnerability is that it doesn't necessarily harm the servers that are vulnerable. The open DNS servers themselves are just tools used to attack a third party. Still, I encourage everyone to close their nameservers. Do unto others, no? So how do you know if your nameserver is vulnerable? The easiest way is probably to do a test on dnsreport.com. Dnsreport also provides a quick-reference sheet for closing your nameservers The guide is a little vague, but contains most of the info you need. Naturally, if any FastServers customers have questions, all of the techs are happy to provide assistance.
There's one caveat that I've glossed over. If every nameserver worldwide is refusing to perform recursive queries, then how will you ever resolve arbitrary domains? For example, if you want to resolve google.com without performing a recursive query, won't you have to ask the authoritative nameserver for the domain google.com? The same goes for yahoo.com, fastservers.net, starwars.com, etc. The solution to this problem is to allow recursive queries, but only for particular subnets. Your ISP probably gave you a list of DNS servers to use as resolvers for your PC. These resolvers are nameservers that will perform recursive queries for your IP, and any other IP in that ISP's subnet. FastServers provides a similar service for all the servers on our IP ranges. Our caching nameservers will perform recursive queries for your servers, but will refuse the service to the rest of the world. If/When you're closing your own nameservers, you may need to make this modification for your own IP(s). That having been said, you're probably not using your server as a resolver, so chances are you won't need to worry about that.
Summary:
People as a whole are largely unaware of the problem with open DNS servers. To see if your server is vulnerable, run a test on dnsreport.com. If your nameserver is open, close it using the information on dnsreport, or talk to your favourite tech (or whoever's working). When closing your nameservers, you may have to specifically allow recursive queries from particular subnets. As always, the techs are here to help.
Spread the Word: Click below to share this with the rest of the world
