Stopping Open Recursion Name Server Attacks

I received an ominous e-mail from my server host Thursday:

The DNS service(s) on your server are currently open to recursive queries from the world, leaving them vulnerable to DNS cache poisoning attacks and allowing them to be used to attack other sites. Your server was reported participating in an outbound DDoS attack through means of this vulnerability by an attacker. Please ensure that recursive lookups are DISABLED in yournameserver's configuration to prevent future abuse. If you need any assistance with this procedure, please let us know.

My name server was taking requests from any user for any domain, not just the ones it was configured to handle like cadenhead.org. When a request came in for a domain on another server, it was forwarded to another server, which could forward it further.

I didn't know that this open recursion let my server be used in a denial of service attack.

I closed the vulnerability by adding an acl section and a new allow-recursion setting inside the options section of the named.conf file:

acl internal {
  67.19.3.218/29;
};

options {
  allow-recursion {
    internal;
  };
};

The acl section refers to the machine hosting the name server, which allows programs on that machine to make recursive requests. All other clients should be blocked by this configuration.

While I was poking around, I took another blogger's suggestion to turn off zone transfers from my name server, except for one machine that functions as a backup name server:

allow-transfer {
67.19.86.58;
};

Comments

I will definately have to look into this on my servers, I can see this being a possible issue.

Good to know - Thanks

I got to do the same maybe this is it! thx for info!

thanks for code, we hat a dns-poisoning problem two weeks ago, started in the network, one day we were not able to fix the problem, next day everything works again. Now I`m afraid that problem will come up again, because we did not find the reason... Hope your Code can help us, I will forward it to my admin...

thx for posting, i once had a porblem with that DDos-attack. Now i feel more save. greetings tom sticker

Add a Comment

All comments are moderated before publication. These HTML tags are permitted: <p>, <b>, <i>, <a>, and <blockquote>. This site is protected by reCAPTCHA (for which the Google Privacy Policy and Terms of Service apply).