Warning message

Log in to add comments.

Battling open resolvers

Mark J. Cox published on 2013-05-08T13:00:22+00:00, last updated 2013-05-08T13:00:22+00:00

A recent blog by ISC discussed Is Your Open DNS Resolver Part of a Criminal Conspiracy?

The problem is that open recursive DNS servers can be used by attackers to attack victims as part of distributed denial of service (DDOS) attacks. This type of attack is generally known as a DNS amplification attack. Due to the nature of the DNS protocol, a very small request can be sent as a UDP packet, and since UDP is not a stateful protocol, the sender information can be faked. The open DNS resolver will then "amplify" the request, allowing an attacker to use very little of their own bandwith to consume a great deal of the victim's bandwith.

This issue has been known for several years. In 2007, with BIND 9.4.1-P1, the default behaviour of BIND was changed to help prevent resolvers being left open by mistake. Prior to version 9.4.1-P1, the default behavior of BIND was to act as an open recursive DNS server. Version 9.4.1-P1 of BIND no longer allowed the server to act as an open resolver by default; the administrator had to explicitly enable this feature.

This change is described in detail here, https://kb.isc.org/article/AA-00269/0/What-has-changed-in-the-behavior-of-allow-recursion-and-allow-query-cache.html , specifically: 'If not explicitly set, the ACLs for "allow-query-cache" and "allow-recursion" were set to "localnets; localhost;".'

Red Hat Enterprise Linux 5 ships an older (pre 9.4.1-P1) version of BIND and therefore allows open recursion. However, by default in Red Hat Enterprise Linux 5, BIND is configured to only listen to the localhost interface (via the listen-on parameter).

It is possible that administrators may, in the course of configuring an authoritative server, change the listening interface and neglect to secure the recursion settings. We are therefore looking at improving the documentation in a default configuration file to better explain the risks of making changes without fully understanding the implications. You can view the progress of this at https://bugzilla.redhat.com/show_bug.cgi?id=952311 . If you use Red Hat Enterprise Linux 5 and have configured BIND, you should check to make sure you have disabled recursion.

Red Hat Enterprise Linux 6 (and above) ships with a version of BIND that is newer than 9.4.1-P1 and does not act as a recursive DNS server unless explicitly told to do so.


About The Author

Mark J. Cox's picture Red Hat Community Member 25 points

Mark J. Cox

Mark J Cox lives in Scotland and for 2000 to 2018 was the Senior Director of Product Security at Red Hat. Mark has developed software and worked on the security teams of popular open source projects including Apache and OpenSSL. Mark is a founding member of the Apache Software Foundation and the Ope...