Guide to DNS Open Recursion Amplification Issues

Posted:  May 14th, 2018

 

The DNS (Domain Name System) is used to translates domain names like "example.com" to the related numerical IP addresses. DNS open recursion is a feature activated by default on several DNS softwares.

 

DNS open recursion service can be used to conduct malicious attacks on a network. This can occur when the default setting for DNS services is not adjusted upon installation. When used maliciously, the service can send Distributed Denial of Service (DDoS) attacks by a third party with malicious intentions. This can be prevented by adjusting your DNS settings.

 

How to verify if your server/device is vulnerable

 

You can test your IP addresses using the following methods (xx.xx.xx.xx is your server IP):

 

1) Using dig:

# dig +nocmd +nocomment +nostats ANY kekhost.com @xx.xx.xx.xx

 

Example of output for vulnerable servers:

 

;kekhost.com.            IN    ANY

kekhost.com.        13409    IN    A    xx.xx.xx.xx

kekhost.com.        85409    IN    NS    nsy.kekhost.com.

kekhost.com.        85409    IN    NS    nsz.kekhost.com.

kekhost.com.        85409    IN    NS    sub.domain.tld.

kekhost.com.        85409    IN    NS    sub.domain.tld.

kekhost.com.        85409    IN    NS    sub.domain.tld.

kekhost.com.        85409    IN    NS    sub.domain.tld.

[...]

 

2) Using Nmap:

# sudo nmap -Pn --script=dns-recursion -sU -p53 xx.xx.xx.xx

 

Example of output for vulnerable servers:

 

PORT   STATE SERVICE

53/udp open  domain

 |_dns-recursion: Recursion appears to be enabled

 

Resolution:

 

Depending on your needs, you can either disable or restrict the open recursion. Choose the best option for your server and your operating system (Windows or Linux) and follow the instructions below:

 

OPTION A - If the DNS recursion can be disabled:

 

*) For Microsoft Windows DNS:

 

    > Disable recursion on the DNS server: http://technet.microsoft.com/en-us/library/cc787602%28v=ws.10%29.aspx

 

    > Rename the 'root hints cache file' to prevent reference to the root zones being used for DNS amplification attacks: Open the folder %systemroot%\system32\dns and rename cache.dns to cache.dns.orig

 

    > Once these modifications are complete, you must restart the DNS service.

 

*) For Windows server using Plesk DNS:

 

    > Log in to your Plesk Panel as admin.

 

    > On the left menu, select "Server Management > Tools & Settings" section (previously called "Server").

 

    > In the main panel, select "DNS Template Settings" (previously called "DNS Settings".

 

    > Select the DNS Recursion Tab.

 

    > Select the Deny option and click the Set button to complete the operation.s:

 

*) For Linux servers using Bind:

 

    > Edit the file /etc/named.conf and change the below variables in the "options{" section to secure your DNS service:

 

   version "unknown";

    allow-transfer {none;};

    allow-recursion {none;};

    allow-query-cache {none;}; // for BIND 9.4+

    recursion no;

    additional-from-cache no;

 

    > Once these modifications are complete, you must  restart the DNS service.

 

OPTION B - f you must use DNS recursion to provide service to your customers, iWeb requires that you restrict the usage scope to localhost, localnets, and/or your customers IP ranges.

 

*) For Microsoft Windows servers:

 

    > Windows servers running DNS open recursion can use Windows firewall to limit access to DNS service and prevent from being exploited.

 

       DNS TCP/UDP incoming firewall settings/rules:

        *Local IP*: any

        *Remote IP - /These IPs:/*  Add all of your trusted IPs  (other

        servers of your network).

 

    > If the server has a Windows Active Directory domain, you will have to add the source IPs that use this service.

 

*) For Windows server using Plesk DNS: (allowing localhost and localnets)

 

    > Connect to your dedicated server.

 

    > From the Start menu, click Run, and enter the following command:

     notepad "%plesk_dir%dns\etc\named.user.conf"

 

    > Modify the file to set allow-recursion to "localnets" instead of "any".

 

    > Save and close the file. The options settings will looks like:

     options { allow-transfer {  localhost; localnets; }; allow-recursion { localhost; localnets; }; listen-on-v6 { none; }; version none; additional-from-cache no; };

 

    > Restart "named" service. From the Start menu, as administrator, click Run and run "cmd", then type the following command in the command prompt:

     net stop named && net start named

 

*) For Linux servers using Bind: (allowing localhost, localnets and specific IPs)

 

    > Edit the file /etc/named.conf and change the below variables in the acl "trusted" and the "options{" sections:

 

    recursion yes;

    acl "trusted"{

    192.168.0.0/16; // change IPs as required

    64.15.128.0/19; // change IPs as required

    localhost;

    localnets;

    };

 

    options{

    ...

    allow-query { trusted; }; // trusted could be replaced by any only if necessary

    allow-transfer { trusted; };

    allow-recursion { trusted;} ;

    allow-query-cache { trusted; }; // for BIND 9.4+

    additional-from-cache no;

    ...

    };

 

References:

 

http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2013/tr13-002-eng.aspx