open DNS resolver
An open recursive DNS Resolver is a DNS server that has been opened up to answer DNS queries from any computer system on the Internet. If configured incorrectly, these servers can be exploited to unwittingly participate in malicious activities.
DNS amplification attack
DNS query types
- DNS Recursive query
- DNS Non-recursive query
- DNS Iterative query
DNS Open-resolvers can be abused for DDoS reflection attacks against third parties.
Verification
$ dig +short jetamooz.com @x.x.x.x
note : Substitue x.x.x.x with the IP address of the DNS resolver (target).
if you get response then your target is vulnerable. if you do not set response or get request time out then target is safe!
online check target
Solution
-
Disable recursion or limit recursion to trusted clients in the DNS server's configuration.
-
BIND: Secure BIND Template
Secure Bind by adding ACLs, and permitting it in named.conf options
acl "trust" { localhost; 10.100.100.0/24; 2001:ffff:ffff:ffff::/64; };
options {
...
allow-query { trust; };
allow-query-cache { trust; };
...
}
Secure Unbound by adding access-control statements in unbound.conf server block
server:
access-control: 0.0.0.0/0 refuse
access-control: 10.100.100.0/24 allow
access-control:2001:ffff:ffff:ffff::/64 allow
...
- Microsoft Windows: Disable Recursion on the DNS Server