DNS Open-resolver

Description

A DNS (Domain Name System) Open-resolver is a DNS server that accepts recursive queries from all IP addresses and is exposed to the Internet. A DNS Open-resolver listens on port 53/TCP and port 53/UDP.

Problem

A DNS Open-resolver can be abused for DNS Amplification attacks against third parties. A DNS amplification attack is a form of Denial of Service Attack (DoS) in which an attacker uses a DNS Open-resolver to send large amounts of unsolicited traffic to a victim overwhelming their capacity to respond. DNS Open-resolvers are also vulnerable to Cache Poisoning and can be exploited in other types of DNS attacks, such as DNS tunneling, DNS hijack attack, NXDOMAIN attack, Random subdomain attack and Phantom domain attack.

DNS Query Types

The objective of DNS is to resolve a fully qualified domain name (FQDN) to an IP address. This process is called name resolution. DNS queries can be classified according to the manner in which the request is processed. There are three DNS query types:-

DNS query types
DNS Recursive query
DNS Non-recursive query
DNS Iterative query

DNS Recursive query

In a DNS Recursive query, a DNS client provides a FQDN, and the DNS resolver MUST provide an answer. It responds with either a relevant resource record, or an error message if it can not be found. The DNS resolver starts a recursive query process starting from the DNS Root Server, until it finds the Authoritative Name Server that holds the IP address and other information for the requested FQDN.

DNS Non-recursive query

In a DNS non-recursive query, the DNS resolver already knows the answer. It either returns a DNS record immediately because it has the relevant DNS records in its cache or it queries a DNS Name Server which is an Authoritative Name Server for the record, meaning it definitely holds the correct IP address for the particular FQDN. There is no need for additional queries.

DNS Iterative query

In an DNS iterative query, a DNS client provides a FQDN, and the DNS resolver returns the best answer it can. If the DNS resolver has the relevant DNS record in its cache, it returns it, If not, it refers the DNS client to the root server, or another authoritative name server which is nearest to the required DNS zone. The DNS client must then repeat the query directly against the DNS server it was referred to.

Example of a DNS amplification attack

An attacker will first place a large DNS record on an Authoritative Named Server that is accessible from the Internet. This record may include a large Domain Name System Security Extensions (DNSSEC) key, this is to ensure that the response to the DNS query is significantly larger than the query itself. The record will also have a long Time-To-Live (TTL) value.

The attacker, using either UDP or ICMP, stateless protocols that do not require a handshake between the sender and recipient, will then send a spoofed DNS query for the record to the DNS Open resolver. The DNS Open-resolver performs the DNS recursive query. DNS queries are typically transmitted over UDP and as such there is no verification that the source IP address is in fact the sender.

The DNS Open resolver fetches the large record from the Authoritative Name Server and caches the record for the TTL duration. The attacker will then remove the record from the Authoritative Named Server.

The attacker will send spoofed queries to the DNS Open-resolver for the cached record. These DNS queries will have the IP address of the victim as the source address. The DNS Open resolver will send the large cached record to the IP address of the victim for as long as the attacker sends fake DNS queries.

Verification

To establish if a host has an openly accessible service on the Internet, simple utility programs or tools included with the standard Linux/Ubuntu distribution can be used. The test should not be run on the host itself or from the local network but instead from a different node on the Internet.

Domain Information Groper (dig)

To confirm if a DNS server is configured as a DNS Open-resolver that will try and resolve recursive queries, the tool Domain Information Groper (dig) can be used to interrogate the DNS server. You can send a DNS request for an arbitrary domain name to the IP address of the DNS server:-

In the following example, substitue TARGET with the FQDN of the DNS resolver. Substitue x.x.x.x. with the IP address of the DNS resolver.

$ dig TARGET @ x.x.x.x

A DNS Open-resolver configured to resolve recursive queries will return a response similar to the example below, followed by a set of DNS records:

; <<>> DiG 9.10.31-P4-Ubuntu <<>> TARGET @ x.x.x.x
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53931
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

Note ‘status’ NOERROR

A DNS server not allowing recursive queries will instead respond with an error message similar to this:

; <<>> DiG 9.10.31-P4-Ubuntu <<>> TARGET @x.x.x.x
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 47106
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

Note ‘status’ REFUSED

Solution

Restrict DNS resolvers to only accept DNS queries from authorised or specific IP addresses.

In the DNS resolvers configuration, disable recursion or limit recursion.

Ingress filtering is a simple and effective method to limit the impact of DoS attacks, by denying traffic with a forged source (spoofed) IP address access to the network, and to help ensure that traffic is traceable to its correct network.

Egress filtering limits the impact of a compromised network in a Denial of Service (DoS) attack on networks of other organisations by preventing traffic with a forged source (spoofed) IP address from leaving the network.

Ingress & Egress Filtering

The implementation of best practice in relation to Ingress filtering limits the impact of a Denial of Service (DoS) attack on one's own network while the implementation of best practice in relation to Egress filtering limits the impact of a compromised network in a Denial of Service (DoS) attack on networks of other organisations. Additional information on Ingress & Egress Filtering can be found at the following link.
Ingress & Engress Filtering

Additional Information

DNS Amplification Attacks
CISCO - DNS Best Practices
Domain Name System Operations Analysis and Research Center
Microsoft Windows Disable Recursion on the DNS Server
US-Cert DNS Amplification Attacks