[colug-432] DNS Amplification Attack
Rob
res at colnet.cmhnet.org
Tue Apr 2 01:10:23 EDT 2013
On Tue, Apr 02, 2013 at 12:47:14AM -0400, Rick Troth wrote:
> Can someone explain to me how a DNS server is "open" to a DNS
> "amplification attack"?
>
> If I understand the basic concept, the reply addr is bogus (and is the
> target of the attack). What I don't understand is how I'm supposed to
> secure my DNS server from assisting the bad guys. If my DNS server is
> supposed to answer queries for my domain, how do I ensure that it only
> handles legit queries?
If you have a DNS server that supports domains you control, of course
the server must respond to an inquiry from anyone for those zones.
However, you should limit "recursion" -- allowing the server do 3rd
party lookups -- to only machines and networks you are affiliated with.
Example: My servers serve my own (cboh.org) domain and several others.
If you were to ask for information about cboh.org, they would deliver it.
However, if you were to ask my servers for information about the domain
"colug.net", they'd deny your request, saying they don't allow recursion.
You should be asking your own servers for this information, not mine.
How do you achieve this? Well, for bind, you use
options { allow-query { ... }; };
where you replace the "..." with the list of addresses that you will
allow to request anything. Then, in the zone directives for the zones
you are primary, you override this with an "allow-query { any; };" to
open these up for everyone's use.
If you don't lock down your DNS servers in this manner, not only can
people use your server as a spring-board to attack a 3rd party site,
but it also opens the door to other potential DNS exploits. It is
roughly analagous to running an open-relay MTA.
I'm no expert on bind, but if you have specific questions, feel free to
contact me off-list and I'll try to help.
Rob
More information about the colug-432
mailing list