lasseitdk
By:
lasseitdk

Abuse complaint about dns server

November 26, 2014 3.1k views

Hi DO community

i have received a abuse complaint about my dns server (bind9).

This is the complaint:

You appear to be running an open recursive resolver at IP address 178.62.87.174 that participated in an attack against a customer of ours, generating large UDP responses to spoofed queries, with those responses becoming fragmented because of their size.

Please consider reconfiguring your resolver in one or more of these ways:

  • To only serve your customers and not respond to outside IP addresses (in BIND, this is done by defining a limited set of hosts in "allow-query"; with a Windows DNS server, you would need to use firewall rules to block external access to UDP port 53)
  • To only serve domains that it is authoritative for (in BIND, this is done by defining a limited set of hosts in "allow-query" for the server overall but setting "allow-query" to "any" for each zone)
  • To rate-limit responses to individual source IP addresses (such as by using DNS Response Rate Limiting or iptables rules)

More information on this type of attack and what each party can do to mitigate it can be found here: http://www.us-cert.gov/ncas/alerts/TA13-088A

If you are an ISP, please also look at your network configuration and make sure that you do not allow spoofed traffic (that pretends to be from external IP addresses) to leave the network. Hosts that allow spoofed traffic make possible this type of attack.

Example DNS responses from your resolver during this attack are given below.
Timestamps (far left) are PST (UTC-8), and the date is 2014-11-25.

14:42:28.317290 IP (tos 0x0, ttl 56, id 60955, offset 0, flags [+], proto UDP (17), length 1500) 178.62.87.174.53 > 74.91.119.x.16038: 65342 29/6/6 doleta.gov. RRSIG[|domain]
0x0000: 4500 05dc ee1b 2000 3811 a2e7 b23e 57ae E.......8....>W.
0x0010: 4a5b 77c6 0035 3ea6 0ff9 fda8 ff3e 8180 J[w..5>......>..
0x0020: 0001 001d 0006 0006 0664 6f6c 6574 6103 .........doleta.
0x0030: 676f 7600 00ff 0001 c00c 002e 0001 0000 gov.............
0x0040: 02eb 011e 0001 0702 0000 0384 547d 2b44 ............T}+D
0x0050: 5473 Ts
14:42:28.317626 IP (tos 0x0, ttl 56, id 60956, offset 0, flags [+], proto UDP (17), length 1500) 178.62.87.174.53 > 74.91.119.x.16038: 65342 29/6/6 doleta.gov. RRSIG[|domain]
0x0000: 4500 05dc ee1c 2000 3811 a2e6 b23e 57ae E.......8....>W.
0x0010: 4a5b 77c6 0035 3ea6 0ff9 6af7 ff3e 8180 J[w..5>...j..>..
0x0020: 0001 001d 0006 0006 0664 6f6c 6574 6103 .........doleta.
0x0030: 676f 7600 00ff 0001 c00c 002e 0001 0000 gov.............
0x0040: 02eb 011e 0001 0702 0000 0384 547d 2b44 ............T}+D
0x0050: 5473 Ts
14:42:28.317974 IP (tos 0x0, ttl 56, id 60957, offset 0, flags [+], proto UDP (17), length 1500) 178.62.87.174.53 > 74.91.119.x.16038: 65342 29/6/6 doleta.gov. RRSIG[|domain]
0x0000: 4500 05dc ee1d 2000 3811 a2e5 b23e 57ae E.......8....>W.
0x0010: 4a5b 77c6 0035 3ea6 0ff9 196d ff3e 8180 J[w..5>....m.>..
0x0020: 0001 001d 0006 0006 0664 6f6c 6574 6103 .........doleta.
0x0030: 676f 7600 00ff 0001 c00c 002e 0001 0000 gov.............
0x0040: 02eb 011e 0001 0702 0000 0384 547d 2b44 ............T}+D
0x0050: 5473 Ts

(The final octet of our customer's IP address is masked in the above output because some automatic parsers become confused when multiple IP addresses are included. The value of that octet is "198".)

Then i found this in my bind9 log:

Nov 25 23:39:49 lasse-it named[1416]: error (network unreachable) resolving 'doleta.gov/ANY/IN': 2001:500:4431::2:30#53
Nov 25 23:39:52 lasse-it named[1416]: success resolving 'doleta.gov/ANY' (in 'doleta.gov'?) after reducing the advertised EDNS UDP packet size to 512 octets

What should i do i don't wont to deny public access to my dns since i'm using it as my resolver on my home network that has a dynamic ip.

Bind9 configs in comments

1 comment
  • named.conf:

    include "/etc/bind/named.conf.options";
    include "/etc/bind/named.conf.local";
    include "/etc/bind/named.conf.default-zones";
    zone "localhost" {
    type master;
    file "/etc/bind/db.local";
    };

    zone "0.in-addr.arpa" {
    type master;
    file "/etc/bind/db.0";
    };
    zone "127.in-addr.arpa" {
    type master;
    file "/etc/bind/db.127";
    };

    named.conf.local:

    zone "lasse-it.dk" {
    type master;
    file "/etc/bind/db.lasse-it.dk";
    notify yes;
    };

    named.conf.default-zones

    zone "." {
    type hint;
    file "/etc/bind/db.root";
    };

    zone "255.in-addr.arpa" {
    type master;
    file "/etc/bind/db.255";
    };

    named.conf.options:

    options {
    listen-on-v6 {
    any;
    };
    allow-recursion {
    any;
    };
    allow-recursion-on {
    any;
    };
    };

2 Answers

You need to replace

options {
listen-on-v6 {
any;
};
allow-recursion {
any;
};
allow-recursion-on {
any;
};
};

with

options {
    listen-on-v6 {
        any;
    };
    recursion no;
    additional-from-auth no;
    additional-from-cache no;
    allow-recursion {none;};
};

and restart bind:

sudo service bind9 restart
Have another answer? Share your knowledge.