Report: Open DNS Resolvers Increasingly Used To Amplify DDoS Attacks
5:46 pm on Oct 29, 2012 (gmt 0)
Open and misconfigured DNS (Domain Name System) resolvers are increasingly used to amplify distributed denial-of-service (DDoS) attacks, according to a report released Wednesday by HostExploit, an organisation that tracks Internet hosts involved in cybercriminal activities.That's because, according to HostExploit, incorrectly configured open DNS resolvers - servers that can be used by anyone to resolve domain names to IP addresses - are increasingly abused to launch powerful DDoS attacks.Report: Open DNS Resolvers Increasingly Used To Amplify DDoS Attacks [news.techworld.com]
"It should be stressed open recursive nameservers are not a problem in themselves; it is the mis-configuration of a nameserver where the potential problem lays," HostExploit said in its report.
10:47 am on Oct 30, 2012 (gmt 0)
With the OpenDns logo on this, I was unable to determine from the article mentioned that their servers contributed to these issues. As a OpenDns supporter and client am I missing something?
11:04 am on Oct 30, 2012 (gmt 0)
where is the logo? that is an unfortunately-named brand!
however the story is about "open (lower case 'o') DNS resolvers"
open DNS resolvers are those which allow external requests for recursive domain name resolution.
you can test for open DNS recursion using the dig command: dig @NAMESERVER.DNSPROVIDER.COM example.com where NAMESERVER.DNSPROVIDER.COM is the DNS being tested such and example.com is a domain NOT using that nameserver.
11:08 am on Oct 30, 2012 (gmt 0)
btw this isn't something you can fix in the zone file - it's in the DNS (probably BIND) configuration. in most cases this means you have to change your DNS provider to "fix it".
11:42 am on Oct 30, 2012 (gmt 0)
The logo was on the WebmasterWorld home page highlighted features section. It was in the Domain Names section but I may have been in "hiding" so long I might not be aware if there are advertisements now tagged there.
12:04 pm on Oct 30, 2012 (gmt 0)
i didn't look on the home page before - that error should be resolved soon.
2:13 pm on Oct 31, 2012 (gmt 0)
There doesn't seem to be a way on older servers to split/zone internal and external requests for recursive domain name resolution. The only solutions seem to be run internal and external requests on separate servers or upgrade the software.
3:03 pm on Oct 31, 2012 (gmt 0)
you simply disable external requests for recursive resolution. what type of server?
3:44 pm on Oct 31, 2012 (gmt 0)
you simply disable external requests for recursive resolution
That depends on what you class as "external", a local network is "external" to a server, however it may still need recursive resolution whereas you wouldn't want to allow recursive resolution to the "external" outside world.
Newer DNS servers solve this easily by allowing different configurations for different "zones"
11:53 pm on Oct 31, 2012 (gmt 0)
in that case, shut down port 53 at the firewall and allow "external" requests.
12:14 am on Nov 1, 2012 (gmt 0)
A firewall is way too crude. It isn't capable of understanding if the request is for a non problematic authoritative answer as opposed to a recursive request.
2:49 am on Nov 1, 2012 (gmt 0)
maybe i misunderstood you - to me, "external" request means "external to the authority of that DNS", not "external to the network".
perhaps you need to disable recursion but configure a forwarder to handle "external" requests.