Forum Moderators: phranque
[dnsreport.com...]
Apparently something that has been going on for years has now come to a head and it has to do with DNS Recursion. I'm not a DNS specialist so please bear with my terminology and correct me if I'm wrong, that's the only way I'm going to learn! ;)
The New Error Most Will See
ERROR: One or more of your name servers reports that it is an open DNS server. This usually means that anyone in the world can query it (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are:
Server xx.xx.xx.xx reports that it will do recursive lookups.
It appears the change in the DNS Tool report has caused some heated discussion from a few who use the tool regularly. Many do not like to see that FAIL message when they've had an Open DNS Server for as long as they can remember.
To make a long story short, having a DNS server that allows recursion for the Internet is like running an open SMTP relay.
The Good Guys have found over half a million. The Bad Guys will find yours. Bad guys will use spoofed UDP packets to fire-and-forge large DNS requests, and the recursing server will send the fragmented replies to the victim (the forged source of the UDP). There are rumblings by very smart people to "do something about this".
A few days ago, it was pointed out that there was a new attack using open DNS servers as part of a DDoS, using amplification (where sending the open DNS servers would send packets 50 times as large as the ones that were originally sent), making this a very serious issue.
Are you aware of and/or are you doing anything about this? I'm in the process now of discussing all of this with my server administrators and want to make the changes to eliminate that failure on the DNS Report. Anytime I see red on that report, the hair on my neck rises. Many of the issues we see here at WebmasterWorld can be traced back to DNS Issues so it is important that you keep a regular eye on what your DNS is up to! ;)
Brett, congratulations, you passed for this particular test. Over 75% of the sites out there do not, including my own which I am in the process of correcting.
... because the server can't resolve gmail.com anymore.
There are two types of DNS servers:
[1] Authoritative DNS servers. These are the DNS servers that know all the information about *some* but not *all* domains. For example, gmail.com has its own set of 4 authoritative DNS servers. If you have a domain, whoever hosts your DNS gives you the IPs of these DNS servers, and these IPs go *only* in the settings for your domain at your domain registrar.
[2] Recursive (caching) DNS servers. These are DNS servers that can find out the answer to any DNS query. The IPs of these DNS servers are given to you by your Internet provider (often automatically through DHCP). These IPs should only be used in the OS settings to let your computers know what DNS servers to use for lookups.
The catch here is that many hosting companies have the same set of DNS servers act as authoritative and recursive. Best practice is to have them separated (which among other things makes cache poisoning impossible). If they are combined, though, they can't just disable recursion (because they *use* recursion). So in this case, they need to *restrict* recursion to just the IPs in their local network.
The easiest option for your host is for them to enable recursion only for their local network. That lets them have recursion for customers who need it, while requiring almost no work for them.
I guess this begs the question of why don't hosts do this anyway? If doing this is low cost and helps the fight against DDoS then it would seem to be to the host's benefit to do it. But again not being a DNS expert, my guess is there must be more to it.
Computer Researchers Warn of Net Attacks
[news.yahoo.com...]
Ken Silva, the chief security officer for VeriSign Inc., compared the scale of attacks to the damage caused in October 2002 when nine of the 13 computer "root" servers that manage global Internet traffic were crippled by a powerful electronic attack. VeriSign operates two of the 13 root server computers, but its machines were unaffected."This is significantly larger than what we saw in 2002, by an order of magnitude," Silva said.
Silva said the attacks earlier this year used only about 6 percent of the more than 1 million name servers across the Internet to flood victim networks. Still, the attacks in some cases exceeded 8 gigabits per second, indicating a remarkably powerful electronic assault.
"This would be the Katrina of Internet storms," Silva said.
Link to AP story courtesy of jdMorgan, thank you!
Payment Gateway StormPay Battling Sustained DDoS Attack
[news.netcraft.com...]
Payment gateway StormPay is recovering from a distributed denial of service attack (DDoS) that has kept its web site offline for much of the past two days. The company, which provides online payment processing for thousands of e-commerce web sites, came back online Friday after a sustained attack that commenced last weekend. The DDoS on StormPay is the latest in a series of attacks on services that allow web merchants to accept credit cards.
The attacks flooded StormPay with up to 6 gigabits a second of data, according to Barrett Lyon, chief technology officer of Prolexic Technologies, which specializes in DDoS defense and is working with StormPay to mitigate the attack. Lyon said the DDoS involved DNS amplification, using bogus DNS requests to cause Internet nameservers to inundate StormPay's web site with traffic.
Fixing Microsoft DNS on Windows 2003* Open DNS.
* In the console tree, right-click the applicable DNS server, then click Properties.
* Click the Advanced tab.
* In Server options, select the Disable recursion check box, and then click OK.
Disclaimer: i am no expert but this is the way i fixed my vps. if you know other preventive measures please share here.
Those are basic instructions assuming that you do not need any recursion which isn't the case. It gets a bit more technical than that but I'm sure anyone messing around with DNS is going to read and confirm before making any such changes.
Those are basic instructions assuming that you do not need any recursion which isn't the case.
Can you give me more information on where recursion required.
Can you give me more information on where recursion required.
I'm going to defer this one to the DNS experts participating in this topic. It all has to do with allowing recursion for those authorized and then disallowing for those not authorized. I've already seen one issue where the above instructions were followed and there were problems aftewards. You just can't make a blanket change like that without first making sure that is not going to affect your users.
I've already seen one issue where the above instructions were followed and there were problems aftewards. You just can't make a blanket change like that without first making sure that is not going to affect your users.
It all depends on your situation. Those instructions will never cause a problem, unless you've allowed people to use the DNS server recursively.
Specifically, DNS servers can be either recursive/caching (ones that your mailserver, web browser, etc. use to look up *any* domain), or authoritative (ones that *other* DNS servers will connect to to find information about your domain, such as where the webserver and mailserver are), or both. Best practice is to have it only be one or the other.
If your DNS server is just authoritative (if you never gave customers, employees, etc. the IPs), then you can disable recursion.
If your DNS server is recursive (or both recursive and authoritative), you can't just disable recursion (that would be kind of like shutting down your website in response to a security issue; yeah, it solves the problem, but it shuts down an entire service you want). In this case, you need more advanced instructions that show you how to block recursion for all IPs except your local network (it's unclear yet if there is any way to do this with Microsoft DNS).
We have a page at www.DNSstuff.com/ that covers closing open DNS servers, which we are expanding as we get more information. We may also come out with a free program to monitor DNS traffic to help determine whether or not it is being used as a recursive DNS server.
-Scott
[edited by: engine at 10:12 am (utc) on Aug. 15, 2008]
[edit reason] broken link [/edit]
Welcome to WebmasterWorld!
I'd personally like to thank you for your assistance in this severe issue that many of us are facing right now. I don't think that the majority have realized just how serious this is. And now that it has made Front Page news at various online resources, I'm going to guess that those considering exploiting this will step up their measures to make it happen.
I've also been lazy about increasing the refresh rate since the last time I moved servers, this is a good excuse to raise that number again :).
PASS Open DNS servers OK.
Your DNS servers do not announce that they are open DNS servers. Although there is a slight chance that they really are open DNS servers, this is very unlikely. Open DNS servers increase the chances that of cache poisoning, can degrade performance of your DNS, and can cause your DNS servers to be used in an attack (so it is good that your DNS servers do not appear to be open DNS servers).
Thank you for the useful information posted here. For the not-so-familiar with DNS, could someone post a helpful site concerning the basics of DNS?
On one of my sites I have a fail on Open DNS servers. I emailed my host and they said -
"This is not a fatal error, it simply means that our name servers will resolve any address it is asked. its not really a problem."
Am I being fobbed off?
It's not an error. It is however, contributing to a problem. It's never been a great idea to provide DNS lookups to the entire world, and now because of these DDoS attacks, it's downright unwise.
Refer them to this: [us-cert.gov...]
and this:
[securityfocus.com...]
And if they're still not convinced to do something about their "open DNS", then yes, you're being fobbed off.
The problem with dnsreport.com is it mixes opinion and fact, which has led to a credibility problem with those who understand DNS well enough not to rely on such a service.
Credibility problem? Ummm, hardly. In fact, I think their credibility just moved up a notch for taking the steps necessary to take this issue to the next level by including it in their DNS Report.
I've been using the tools there for years and I've not seen anything based on opinion. If I'm not mistaken, everything there is based on RFCs and there is authoritative backup for everything discussed on that site.
And if they're still not convinced to do something about their "open DNS", then yes, you're being fobbed off.
Well, at least we agree on something! ;)
"This is not a fatal error, it simply means that our name servers will resolve any address it is asked. its not really a problem."
That's kind of like your bank saying "Yes, we keep our doors unlocked at night, but it's not a problem since it is against the law for people to rob banks. And we haven't had anyone do it yet, either."
If someone uses their open DNS server in an attack (as has already happened to 6% or so of DNS servers), the attackers are going to want to use 100% of the possible outgoing bandwidth. The attacker can't know when 100% of the bandwidth is reached, so he will try sending as many packets as he can. As a result, many DNS packets will get dropped -- and that means legitimate packets will get dropped, too.
So what happens when someone tries going to your website or sending you E-mail? Maybe they get through, maybe they don't.
And it sounds like your hosting company is indirectly saying that they are using their authoritative DNS servers as recursive DNS servers, too. That means that if an attack occurs, their only real recourse (if the DNS packets are coming from many zombie IPs) may be to shut off recursive DNS service -- which then will shut down things like some outgoing E-mail and other similar services that need recursive DNS lookups.
So is it "not really a problem"? If their DNS servers aren't used in an attack, yes. But if they are, it might very well be a problem.
-Scott
True for you, obviously. The same cannot be said of all those who live and breathe DNS. What I said is true. You don't have to like it, that's entirely up to you.
What I said is true. You don't have to like it, that's entirely up to you.
Could you please back up your statement about DNSreport.com mixing opinion and fact?
We certainly do get our share of people who disagree as to what should trigger a pass/warn/fail, and in some cases those criteria are necessarily subjective ("Is X bad enough to warrant a FAIL?", "How many seconds should a SOA RETRY be before a FAIL is justified?").
If that is what you are referring to, that's fine (there is no way around that), although re-phrasing the statement would be nicer. :)
But if there are any cases where the site makes it unclear what is opinion versus fact, or if there are any inaccuracies, we definitely want to know about it so we can fix the problem.
-Scott
VerSign said the attack on its name servers caused a "brief degradation" in the quality of its service to customers for around 25 minutes on Tuesday afternoon
[theregister.co.uk...]
Another example of this in action today:-
Nothing in that article says anything about using recursive DNS servers to DOS something.
First paragraph...
Hackers have launched distributed denial of service attacks against the Domain Name System (DNS) servers of a brace of domain name registrars over recent days. The motive for the separate attacks against VeriSign and Joker.com remains unclear.
[us-cert.gov...]
US-CERT is encouraging wide dissemination of this paper and organizations that currently have DNS recursion enabled are encouraged to disable it if possible.
Senior levels of the US government are taking an interest in recent distributed denial-of-service attacks against the internet's domain name system, according to a person familiar with the situation.
US-CERT is encouraging wide dissemination of this paper and organizations that currently have DNS recursion enabled are encouraged to disable it if possible.
Network Solutions and Joker.com hit by DDoSsers. More to follow? Hackers have launched distributed denial of service attacks against the Domain Name System (DNS) servers of a brace of domain name registrars over recent days.
Domain registrar Joker.com says its name servers are under attack, causing outages for customers. More than 550,000 domains are registered with Joker, which is based in Germany.
Cyber criminals are using DNS servers, the phonebooks of the Internet, to amplify their assaults and disrupt online business.
This paper outlines a Distributed Denial of Service (DDoS) attack which abuses open recursive Domain Name System (DNS) name servers using spoofed UDP packets.
A new kind of denial-of-service (DoS) attack has emerged that delivers a heftier blow to organisations' systems than previously seen DoS threats, according to VeriSign's security chief.
This would be the Katrina of Internet storms, Silva said.
All domains on our Linux server have Open DNS servers error. How can we solve this error?
Having a DNS server that allows recursion for the Internet is like running an open SMTP relay.
The attack currently in the wild is a lot bigger and more complicated than this, but to begin, here is an explanation.
Payment gateway StormPay is recovering from a distributed denial of service attack (DDoS) that has kept its web site offline for much of the past two days.
---
This does not constitute a problem. And this is not something we will
be able to change in any case. You can, however, set up your own
nameserver if this still concerns you.
---
makes you wonder...
