Please note: If you are advised you are running an open DNS resolver you must take action as your VPS is most likely being used in attacks against other networks. Please read below for an explanation and instructions on resolving the problem.
An “open DNS resolver” is a DNS server that’s willing to resolve recursive DNS lookups for anyone on the internet. It’s much like an open SMTP relay, in that the simple lack of authentication allows malicious 3rd parties to propagate their payloads using your unsecured equipment. With open SMTP relays, the problem is that they forward spam. With open DNS resolvers, the problem is that they allow a denial of service attack known as a DNS Amplification Attack.
The way this attack works is pretty simple – because your server will resolve recursive DNS queries from anyone, an attacker can cause it to participate in a DDoS by sending your server a recursive DNS query that will return a large amount of data, much larger than the original DNS request packet. By spoofing (faking) their IP address, they’ll direct this extra traffic to their victim’s computers instead of their own, and of course, they’ll make as many requests as fast as they can to your server, and any other open DNS resolvers they can find. In this manner, someone with a relatively small pipe can “amplify” a denial of service attack by using all the bandwidth on their pipe to direct a much larger volume of traffic at their victims.
ArsTechnica did a decent article on the recent DNS Amplification DDoS attack against Spamhaus, and is worth a quick read to get the basics (and a good visual of the amplification).
The simplest way to protect your system from being abused like this is to limit the addresses your server will perform recursive lookups for to your local subnets. (The specifics of which depend on which DNS server you’re using, of course).
BIND
For example, if I were using BIND 9, and wanted to simply prevent DNS recursion from outside addresses, I would use the following code in my config:
options {
directory "/var/named/master";
allow-recursion { 127.0.0.1; 10.0.0.0/8; 192.168.0.0/16; 172.16.0.0/12; };
That line of code tells my BIND server to only process recursive DNS requests for the local loopback address (which I guess I could/should set to the local loopback block, the whole /8) and the 3 Private IPv4 address spaces.
Windows Server 2012
1. BLOCK EXTERNAL DNS REQUESTS WITH A FIREWALL, SUCH AS THE BUILT IN WINDOWS FIREWALL (USE THIS METHOD IF YOU ARE RUNNING A DOMAIN CONTROLLER AND ARE NOT USING THE DNS SERVER AS AN ACTUAL NAME SERVER FOR PUBLIC DOMAINS)
To my surprise, Windows DNS does not allow you to restrict the addresses to which recursive DNS requests are honored, so this actually the recommended method by Microsoft.
- Select the DNS (TCP Incoming) rule, go to the Remote IP address section and add:
- 127.0.0.1
- Any public IP addresses assigned to your VPS e.g. 203.143.X.X
- Any internal IP addresses assigned to your VPS (if you are using an internal network) e.g. 10.1.X.X
- Now go to the DNS (UDP Incoming) rule and do the same.
2. DISABLE RECURSION (USE THIS METHOD IF YOUR DNS SERVER IS USED AS A NAME SERVER FOR A PUBLIC DOMAIN)
Disabling recursion is good when your DNS server is a public facing DNS server, only providing DNS information for zones it actually hosts (is authoritative for). If your system is a Domain Controller then you must make sure you have another DNS server specified in the network settings other than 127.0.0.1 or it will not be able to resolve any other domains, or use option 1 above. If your server is NOT a domain controller then this is the easiest option as it prevents your DNS server from providing any information other than about the zones it hosts.
-
- Open DNS Manager.
- In the console tree, right-click the applicable DNS server, then click Properties.
- Click the Advanced tab.
- In Server options, select the Disable recursion check box, and then click OK.
- Since we have a multi-forest environment, and use conditional forwarders for that to work, I’m not going to check that box. Might be something for you to consider as well.