Prevent DNS Server from being used for a DoS attack
Using authoritative name service, DNS servers primarily advertise to the world the various records associated with the domain they serve. Because users prefer common names and networks prefer numbers, DNS servers handle the translation between what a user types in a browser—such as go4expert.com—and the actual IP address the network understands.
The task of answering a query recursively is completely different. According to a US-CERT report, between 75 and 80 percent of all DNS servers can handle recursive requests.
Recursive DNS provide answers to queries for records by asking other DNS servers and providing that response to the client that made the request. Here's an example:
1. A user enters www.go4expert.com into a Web browser.How can a recursive query become a DDoS attack? For the attack to work, the attacker needs to be in control of one DNS record.
He or she then populates the TXT field of that record with information. (The maximum size of the TXT field is approximately 4,200 bytes.) And then the fun begins. Here's how:
1. The attacker programs bots to continuously execute requests for this record against recursive DNS.Multiply this by the number of bots participating in the attack, and you've got a DDoS attack. If your DNS server is a target of this attack, your network will grind to a halt because none of its clients can resolve an IP address.
What's the solution? It's quite simple: Run two different DNS servers. Let the internal server handle all requests from your network (even recursive for your clients only).
On the external DNS server, disable recursion. With recursion disabled, the external DNS server won't send queries on behalf of other name servers or clients, which stops attackers from bouncing DoS attacks off your DNS server by querying for external zones.
Open DNS recursion isn't the problem—it's a symptom of the problem. IP address spoofing is the real problem, and this spoofing provides a ready venue for DDoS, spam, and other headaches.
In my opinion, IP address verification is the answer, and the tools already exist to solve that problem. I know the Internet Engineering Task Force (IETF) is looking at the issue, but it needs to stop investigating and take action.
|All times are GMT +5.5. The time now is 11:44.|