« Are you Monitoring Your DNS? | Main | Avoid Risks: Manage your DNS Portfolio »

Monday, 06 January 2014

Harden your resolvers: protect your recursive DNS for you and for everyone else

The era of DDoS attacks will no doubt continue in 2014, yet operating recursive resolvers -- the name servers that process or resolve DNS queries on behalf of client devices or applications -- in a secure and reliable manner remains a critical yet commonly neglected administrative practice.

What is recursive DNS? It’s a process where a resolver asks other name servers for help in answering a query. This process begins when, for example, a user enters http://www.example.com into the address bar of her browser. A stub resolver operating on the user’s device will ask a recursive resolver for the IP address of the web page www.example.com. If the recursive resolver doesn’t know the answer, it asks a root name server for help. (Note that local or hints information provides root name server addresses to bootstrap this process.)

The root name server won’t know www.example.com but will helpfully refer the recursive resolver to a COM name server for help, and in this response the root name server will provide information about COM name servers. The stub resolver next asks a COM name server to help resolve www.example.com. Again, COM name servers won’t know www.example.com but will again helpfully refer the recursive resolver to a authoritative name servers for example.com. These name server hosts zone data for the example domain.

The recursive resolver now asks an example.com name server to resolve www.example.com and its patience is rewarded with a positive response containing the IP address of the web server. To reduce over-frequent recursion of commonly resolved names (e.g., google.com), administrators may configure recursive resolvers to keep a copy of positive responses in a local cache (for the time to live or TTL of the record).

From the above description, it's pretty clear how important recursive resolvers are in the name resolution process. Attackers routinely abuse or attack this iterative process for malicious or criminal purposes, so operators of recursive resolvers should configure and monitor against several classes of attacks:

Attacks that target you. Cache poisoning attacks take advantage of vulnerable name server configurations or implementation flaws to inject false information into your recursive resolver’s cache. Such attacks threaten anyone who uses your recursive resolver. Attackers may also target your resolver to disrupt name resolution by exhausting name server resources (CPU, memory, sockets). It is possible to configure or implement workarounds to mitigate these attacks (see adding entropy to request messages, data injection via additional sectionweak transaction IDs, andKaminsky) but DNSSEC is the most effective means to prevent cache-poisoning attacks.

Attacks that target others. Attackers scan for and exploit open recursive resolvers and use these in reflection or amplification DDoS attacks. Such attacks threaten anyone targeted by an attacker. If you don’t exercise care in managing or monitoring your recursive resolvers, your organization may be an unwitting party to a criminal act.

Is your resolver open for attack? You can test whether any recursive resolver in your IP block is open or not at the Open Resolver Project, or you can run an NMAP script to do so. The Open Resolver Project also maintains a list of known open resolvers: this is probably not a list where you’d want any of your servers to appear.

Run recursive resolvers responsibly

Both US-CERT and CERT-BE are outstanding resources to learn how to run recursive resolvers responsibly. For example, you can use IP address-based authorization and the inbound interface (where queries arrive) to limit recursion to authorized clients (BCP 140), apply response rate limiting (DNS RRL), and use traffic filters to prevent source IP spoofing (BCP 38) on your networks. For mobile clients, BCP 140 recommends that you have clients connect to your network using a VPN, where they can use your recursive resolver. BCP 140 also suggests that you might run a local caching recursive resolver on mobile devices.

You can use the resources I’ve mentioned to ensure that you are running recursive resolvers responsibly, and that you’ve protected your infrastructure from cache poisoning and resource depletion attacks. As part of routine monitoring and network hygiene, you should also:

  • Verify that you have disabled open recursion on your authoritative name servers.

  • Verify that traffic with source addresses from private IP address space or from address blocks that are not allocated to you cannot exit your network.

  • Use event logs or real-time activity monitoring to confirm that your recursive resolvers are responding only to authorized users or applications, or observing or detecting suspicious query traffic (e.g. requests from unauthorized address space or requests that would cause your resolver to return atypical -- and large-- responses or unusual query, CPU, or memory consumption).

  • Run configuration checks on production recursive resolvers. REN-ISAC suggests using DNSCheckDNSHealth at Pingdom runs similar tests.

Add these to your administrative routine and you will not only provide the best service to your users or customers, but you’ll prevent attackers from using your recursive resolvers to harm others.

 

This is the second post of a three part series on DNS and domain registration risk and protection:

Part I: Are you monitoring your DNS?

Part II: Harden your resolvers: protect your recursive DNS for you and for everyone else

Part III: Avoid Risks: Manage your DNS Portfolio

Originally posted 8/26/2013 at 21st Century IT under Don't Leave Resolvers Open to DDoS Attack.

Related articles
Emergence of DDoS as a Service (DDoSAAS)
Protecting the world from Your network
Domain Internet Groper: Using dig to access DNS zone data

Posted at 07:00 AM in Domain names and DNS |

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)

Find me on Mastodon and Facebook

Spotlight Posts

  • Cybercrime Reported in April 2025
    In today's Interisle Insights, Colin Strutt looks at cybercrime activity collected at the Cybercrime Information Center for the month of April 2025.We point out anything that strikes us as particularly interesting in overall numbers as well as significant changes in ranking for Top Level Domains (TLDs), Registrars, and Hosting Networks. Read Cybercrime Reported in April 2025. Interisle Insights is a reader-supported publication. To receive new posts and support our work, consider becoming a free or paid subscriber. Join now!
  • Malware Trends: January - March 2025
    Malware activity reports for the quarter are now posted at the Cybercrime Information Center. Our key statistics show small quarter-over-quarter increases in malicious IP address malware records (Traffic Injectors and Attackware) and unique IPv4 addresses reported as serving or distributing malware, and but meaningful decreases in both endpoint and IoT malware reported. Read Malware Trends: January - March 2025
  • The World's Phishiest Neighborhoods
    In this Interisle Insights article, we take a closer look at our data to better understand what’s hosted at three autonomous systems which have appeared at or near the top in recent quarters. We’ll also review who’s being targeted by these attacks and what corresponding name and address resources are most frequently exploited. Autonomous systems are blocks of Internet addresses, which you can compare to "neighborhoods" in a city. And like any city, some neighborhoods are safe and some are not. The full article, The World's Phishiest Neighborhoods, is hosted here.
  • Interisle Study Reveals Alarming Rise in Online Abuse and Identifies Exploitable Links in Cybercriminal Supply Chains
    My Interisle colleagues and I today published our 2024 Cybercrime Suppy Chain study. We analyzed 16 million cybercrime events to expose a dramatic rise in criminal exploitation of name, address, hosting, and financial supply chains. Our year-over-year findings show that cybercriminals exploit lax policies to easily and cheaply obtain resources for phishing, malware, and spam campaigns. In our report, we provide actionable insights for those aiming to curb cybercrime. Among the major findings in the study, Interisle reports that: The total number of malware, phishing, and spam attacks grew year-over-year by nearly 54%, to nearly 16.3 million attacks. Spam doubled,...
  • Malware quarterly reports for July-September
    Malware quarterly reports for July-September 2024 is now posted at the Cybercrime Information Center. For the period... Malware identified as targeting endpoint devices increased 277% over the prior period. WordPress blog sites used for malware accounted for nearly all the malicious documents reported for this period. We continue to see an uptick in malicious scripts. IPv4 addresses reported for exhibiting characteristics of attackware and traffic injectors increased 38% to just under 1 million. ASNs in China and India again have the most IPv4 addresses reported for hosting malware. More malware trends for the period at https://www.cybercrimeinfocenter.org/malware-trends-july-september-2024. For historical reporting of...

Search

My Photo

Categories