Recursive DNS attacks

Zaeem Arshad gave an insightful presentation on the hazards of running open DNS servers. He talked extensively about how these can easily be used to launch recursive DNS DoS (Denial of Service) attacks against any network in the world. The presentation can be found along with the rest of the SANOG 8 slides on the SANOG website.

One of the biggest causes of roughly 80% of all DNS servers being open is that they are open by default and even experienced admins neglect to fix the configuration. It reminds me of the time when open SMTP relays were very common and it took a while for most MTAs to be configured otherwise by default. A big difference is that open mail relays were simply used to send spam and at most, will choke or blacklist that one connection. On the other hand, a distributed recursive DNS attack can bring down a whole website or ISP.

Another issue which I haven’t yet figured out is that a number of domains fail to resolve through BIND running on Solaris, once their record expires. This issue hasn’t surfaced yet with BIND (same version) running on Linux. And the thing common among all of these domains is that the servers these are hosted on are reported as open DNS servers by www.DNSReport.com. Maybe I should stop flushing the cache for such domains to put pressure on the admins to fix their servers.

Good job with the talk Zaeem and do continue to produce more stuff like this.

3 thoughts on “Recursive DNS attacks

  1. Isnt that DRDOS attack? There is no prevention against it, that is what I know. It is a bug in the networking protocols and can cause havok if initiated with planning.

Comments are closed.