LWN.net Logo

Advertisement

TrustCommerce

E-Commerce & credit card processing - the Open Source way!

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LK2008: The values of the Linux community

LWN.net Weekly Edition for October 9, 2008

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Interesting, not unexpected.

Interesting, not unexpected.

Posted Feb 12, 2008 11:07 UTC (Tue) by niner (subscriber, #26151)
In reply to: Interesting, not unexpected. by jwb
Parent article: DNS Inventor Warns of Next Big Threat (Dark Reading) 

If I may ask naively: what is the problem with open, recursive resolvers?

(Log in to post comments)

Interesting, not unexpected.

Posted Feb 12, 2008 11:56 UTC (Tue) by job (subscriber, #670) [Link] 

I believe the idea is that open resolvers can be utilized as traffic boosters in a DoS
situation, think spoofed source address and the fact that replies are much larger than
queries.

I am guilty of this myself but remain unconvinced so far that this attack is actually used in
practice. Over the last five years I have never seen a DNS reply flood, and even if this
becomes a problem traffic limiting may even be more effective. I find it important to keep the
net as open as possible as this is what kept it functioning over the years.

This of course is a separate problem from poisoning DNS caches. The easiest way to completely
avoid those attacks is to separate the resolver and the authoritative DNS in two separate
entities. This is considered best practice by now and something every administrator should do.

It's not too difficult

Posted Feb 12, 2008 15:27 UTC (Tue) by mgb (subscriber, #3226) [Link] 

Using something like this you can use a single primary DNS server which is authoritative for
your own zones while limiting recursion to clients on your IP addresses.

acl my-recursers {
	localhost;
	localnets;
	... my CIDR blocks ...
};

options {
	allow-recursion {
		my-recursers;
	};
};

It is non-obvious for authoritative BIND views

Posted Feb 12, 2008 16:03 UTC (Tue) by hmh (subscriber, #3838) [Link] 

Your example is not enough to properly configure an authoritative server (although it is good
enough for a recursion-only cache server, I think).

The proper configuration for an authoritative BIND server ends up requiring the use of views
if you also need it to be a recursive server for some clients, I think.

For the authoritative view, you need:

        additional-from-auth no;
        additional-from-cache no;

as well as the more obvious:
        recursion no;

Otherwise, you are still a problem for others (DoS amplifier at the very least).

Open DNS resolvers

Posted Feb 13, 2008 1:50 UTC (Wed) by gdt (subscriber, #6284) [Link]

Denial of service traffic multiplier which is particularly difficult for ISPs to counter. See my AusCERT alert AL-1999.004 which describes the problems we had dealing with the first observed attacks.

Interesting, not unexpected.

Posted Feb 18, 2008 12:03 UTC (Mon) by IkeTo (subscriber, #2122) [Link] 

> what is the problem with open, recursive resolvers?

As far as I can understand, open recursive resolvers, or "open recursive name servers", are
DNS servers that are incorrectly configured to answer DNS requests recursively for public.
(Normally there are two types of DNS servers: authoritative ones which answers queries using
their own information to the public and never initiates queries themselves, and caching (or
recursive) ones which answer queries from only a limited (reads: trusted) set of computers and
will "recurse", i.e., initiate queries to find answers to queries that they don't know how to
answer themselves.)

The two properties that don't mix are (1) public and (2) initiate requests to get others'
information.  With both of them, an intruder can make a request to that open recursive
resolver, hoping that it will not know the answer right away and thus would initiate a
request, and fake a reply to that anticipated request.  (The DNS mechanisms to disambiguate
different replies from requests are not meant to be secure and thus not strong enough to deter
intruders.)  This causes the cache of the resolver to be "poisoned", i.e., hold information
that is faked and decided by the intruder.  E.g., from then on mail.google.com might be
pointing to their servers instead of yours.

Such incorrectly configured servers are always a problem for the users of these servers.  As
other noticed, if they instead fake entries to point to a web site, that site will suddenly
receive a huge load of traffic.  So they are a problem for those running a server.

But they can be problems for others if intruders can cause somebody to "become" a user of that
server.  E.g., if a worm somehow causes your /etc/resolver.conf to be overwritten and point to
such a misconfigured DNS server, then you become a user.  Admittedly this requires that the
intruder already has access to your computer, but this can provide an easy back-door.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds