Battling open resolvers

A recent blog by ISC discussed Is Your Open DNS Resolver Part of a Criminal Conspiracy?

The problem is that open recursive DNS servers can be used by attackers to attack victims as part of distributed denial of service (DDOS) attacks. This type of attack is generally known as a DNS amplification attack. Due to the nature of the DNS protocol, a very small request can be sent as a UDP packet, and since UDP is not a stateful protocol, the sender information can be faked. The open DNS resolver will then "amplify" the request, allowing an attacker to use very little of their own bandwith to consume a great deal of the victim's bandwith.

This issue has been known for several years. In 2007, with BIND 9.4.1-P1, the default behaviour of BIND was changed to help prevent resolvers being left open by mistake. Prior to version 9.4.1-P1, the default behavior of BIND was to act as an open recursive DNS server. Version 9.4.1-P1 of BIND no longer allowed the server to act as an open resolver by default; the administrator had to explicitly enable this feature.

This change is described in detail here, https://kb.isc.org/article/AA-00269/0/What-has-changed-in-the-behavior-of-allow-recursion-and-allow-query-cache.html , specifically: 'If not explicitly set, the ACLs for "allow-query-cache" and "allow-recursion" were set to "localnets; localhost;".'

Red Hat Enterprise Linux 5 ships an older (pre 9.4.1-P1) version of BIND and therefore allows open recursion. However, by default in Red Hat Enterprise Linux 5, BIND is configured to only listen to the localhost interface (via the listen-on parameter).

It is possible that administrators may, in the course of configuring an authoritative server, change the listening interface and neglect to secure the recursion settings. We are therefore looking at improving the documentation in a default configuration file to better explain the risks of making changes without fully understanding the implications. You can view the progress of this at https://bugzilla.redhat.com/show_bug.cgi?id=952311 . If you use Red Hat Enterprise Linux 5 and have configured BIND, you should check to make sure you have disabled recursion.

Red Hat Enterprise Linux 6 (and above) ships with a version of BIND that is newer than 9.4.1-P1 and does not act as a recursive DNS server unless explicitly told to do so.