open recursive DNS server

c00kie · 31 Mar 2006 at 11:36

Hi,

i have just received an email from Zen Abuse saying that i have an "open recursive DNS server" running and it may be able to contribute to a DDOS attack.

within the network we do run bind but only for DNS caching services - no DNS records are hosted and its not accessible from outside the network. Bind also has custom zones so that www.mydomain.com redirects to 192.168.2.x rather than an external IP.

Bind has the Zen DNS servers as forwarders. Our router blocks any incoming requests so its not like anyone can use our internal BIND server if theyre not within the network.

As far as i can see its not actually a risk, am i right? Is there anything i can do to stop it being an open recursive DNS server?

thanks

Burbleflop · 31 Mar 2006 at 12:16

If your DNS server is only available to hosts within your network then you're ok. I would be double checking that though as Zen seem to think that they could use your DNS server to do queries.

Assuming that your DNS server is available on the internet, then you can control who can do recursive lookups in named.conf with:

allow-recursion { 192.168.0.2/24; };

That'll only allow recursive queries from 192.168.0.2/24. It will still allow queries of any authorative domains from any IP address. So if somone used your DNS server and looked up www.yourdomain.com, then would get a 192.168.2.x response. That can be controlled in named.conf with:

allow-query { 192.168.2.0/24; };

c00kie · 31 Mar 2006 at 12:32

ok thanks for that, so at the moment in my named.conf.local i have:

Code:

        allow-query {
                192.168.2/24;
                127/8;
                };

this should allow only internal clients to query it? (192.168.2.0 - 192.168.2.255, and localhost).

where should the "allow recursion" part go? also are there any websites which will check it for me (if i give the IP it checks for security)?
thanks

Burbleflop · 31 Mar 2006 at 12:37

c00kie said:
this should allow only internal clients to query it? (192.168.2.0 - 192.168.2.255, and localhost).

Spot on.

where should the "allow recursion" part go? also are there any websites which will check it for me (if i give the IP it checks for security)?
thanks

Anywhere before you define your zones.

As for websites, I don't know of any. You could always give the external IP address of your server to someone and ask them to see if it will resolve queries for them but looking at your allow-query statement it won't.

errata · 31 Mar 2006 at 14:46

I received the same ZEN message yesterday. I dont knowingly have a DNS server running on the one or 2 PC devices routinely on my LAN, my adsl router is on full security settings and antivirus etc software is also running.

I wonder if there is a teeething problem with whatever utility ZEN are using to check or do I have an unkown vulnerability.

Any suggestions for further checks I could make?

c00kie · 31 Mar 2006 at 15:23

errata said:
I received the same ZEN message yesterday. I dont knowingly have a DNS server running on the one or 2 PC devices routinely on my LAN, my adsl router is on full security settings and antivirus etc software is also running.

I wonder if there is a teeething problem with whatever utility ZEN are using to check or do I have an unkown vulnerability.

Any suggestions for further checks I could make?

ah interesting, that'd make sense seeing as i have been running my current set up for 6 months with no problem.

tolien · 31 Mar 2006 at 15:41

Some folks seem to be getting them from router DNS proxies, as a result of screwups with firmware and dodgy configuration.
There's a thread on ADSLguide about it.

For what (little) it's worth, I haven't had one, and am running both caching and secondary DNS services.

c00kie · 31 Mar 2006 at 17:58

tolien said:
Some folks seem to be getting them from router DNS proxies, as a result of screwups with firmware and dodgy configuration.
There's a thread on ADSLguide about it.

For what (little) it's worth, I haven't had one, and am running both caching and secondary DNS services.

ah thanks

ADSLG user said:
Zyxel Prestige 661H

same router here hopefully firmware upgrade will fix it

-- for anyone else with this prob see http://www.dslreports.com/forum/remark,15793362
i just followed it and now its fixed according to http://security.zensupport.co.uk/recdns/

iamgud · 31 Mar 2006 at 20:08

If you don't have a DNS server it is likely to be your router.

Check it out using this.

http://security.zensupport.co.uk/recdns/

or get someone to do an NSLOOKUP on you r routers IP address.

After a fun day of fixing several of these issues it seems if you have a Netgear simply upgrade the firmware and you should be ok. On other routers you need to either set up a firewall rule or you could use some kind of port forwarding rule to send all port53 traffic to a fake internal IP address or even just disable the routers DNS server and have enter the DNS servers manually. (Seems to be the only opition on the Voyager205)

The aim is to notify people of the security hole that could be used to DDOS people.

There is apparently a way to do it on Zyxel routers, a few of my colleages have them and they have managed it.

errata · 1 Apr 2006 at 08:37

I think that like others in the adslguide forum thread my router has an undocumented feature. Now passing the test after messing about with port 53 traffic on the router setup.