Tag Archives: open resolvers in DNS

Open DNS resolvers and patching them !

Before getting to know what is an open resolver, you need to know what is recursion, ie recursive queries !

Suppose you have a DNS server configured and a local machine which uses your DNS server queries for a website. Imagine this query is a new one and its not in the local cache of the machine which made the request. Once this request reaches your DNS server, it will attempt to find the website in question in its local cache. If it cannot find an answer it will query other DNS servers on your behalf until it finds the address. It will then respond to the original request with the results from each server’s query. This scenario is fine, because the local machine which made the initial request is trusted by you. What if another machine which isn’t trusted by you, queries your DNS server for the same ? Then your DNS is an Open resolver.

An open DNS resolver is a name server that provides a recursive name resolution for non local clients or users. Basically it’s a name server that provides recursive replies for every system on the internet. Local users or “authorized” clients are users on networks that you control and/or that you trust. Recursive replies are the result of following the chain of delegations found in DNS, ending up at the domain name that was requested by the original user.

Open DNS resolvers are frequently being abused to conduct efficient DDoS attacks towards websites, infrastructure and services. In a DNS amplification DDoS attack, the attacker sends a DNS name lookup request to an open DNS resolver with the source address spoofed to be the victim’s address.

When the DNS server sends the DNS record response, it is sent
to the victim (the source address that was used in the spoofed request). Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim. Dont think it would affect just the victim. Essentially this means that your equipment is taking part in a botnet leveraging a DDoS attack towards other systems, potentially causing disruption of services and harm.

If your systems take part in such a DDoS attack then your own network, server and services infrastructure too can easily become congested.

To get around this issue, configure your DNS server to either disable recursion or allow recursion from trusted set of IPs.

For named, recursion can be disabled by adding the following line to your /etc/named.conf file :

options {

recursion no;

};

You can allow recursion from a trusted set of IPs by giving the following

options {

allow-recursion { 127.0.0.1; IP1; IP2; }; //include your server IPs and
your provider’s nameserver IPs and whichever IPs you feel can be trusted.
};

Suppose you have a DNS server and you have configured your named as :

allow-recursion { IP1;IP2; } ;

Try the following from the machine with IP1,

# nslookup google.com x.x.x.x ( x.x.x.x is the DNS server IP )

The result would be :

……………………

(root) nameserver = J.ROOT-SERVERS.NET
(root) nameserver = K.ROOT-SERVERS.NET
(root) nameserver = L.ROOT-SERVERS.NET
(root) nameserver = M.ROOT-SERVERS.NET
(root) nameserver = A.ROOT-SERVERS.NET
(root) nameserver = B.ROOT-SERVERS.NET
(root) nameserver = C.ROOT-SERVERS.NET
(root) nameserver = D.ROOT-SERVERS.NET
(root) nameserver = E.ROOT-SERVERS.NET
(root) nameserver = F.ROOT-SERVERS.NET
(root) nameserver = G.ROOT-SERVERS.NET
(root) nameserver = H.ROOT-SERVERS.NET
(root) nameserver = I.ROOT-SERVERS.NET

……………………

Suppose you made the same query from an IP which is not defined in allow-recursion, then you get the following :

Server: x.x.x.x                                                                                 Address: x.x.x.x#53

** server can’t find google.com: REFUSED

So consider about tweaking your DNS server, if its an Open resolver.