What is a Recursive DNS?

Last week one of my dearest customers was worried about having enabled recursiveness in his server. I think he does not understand very well what this means and why sometimes it is considered a security flaw. After discussing with him, I promised him I will write an article explaining this. So here it is.

You should know he has hired from me the PowerDNS plugin with Low Latency Algorithm. So far, the server works as expected.

Recursive DNS Flow

By having a recursive DNS it means the server will do all the related tasks and it will answer the final IP without any client interaction but the DNS request only. If you see the image, you will see the flow. I will explain it.

1. Client (computer, IP phone) sends a DNS request for an IP to the configured DNS (Local DNS server).
2. DNS will get the request. As we expect it does not host any local zone, it will ask to a root server where is the registrar of the TLD.
3. Root server answers with the IP of the TLD server.
4. DNS will request to the TLD server where the zone (inside-out.xyz) is hosted.
5. TLD server will answer the IP of the name server.The name server is where you put your information, usually it is the server in your web hosting.
6. DNS will ask the TLD server about the specific hostname query.
7. Name server will answer that.
8. DNS server will forward back the answer to the client.

Why is this considered a Security Flow?

Well, this is sometimes an unfair question. Recursive DNS are not a security flaw by itself. It is the way they are used; having knives in your kitchen is not an issue, the issue is how you use them. This is the same situation with recursive DNSes.

The recursive DNS processing requires more processing. This means that if you are a target of a compromised machine who is flooding your DNS, you will have soon a DoS. Therefore, legitimate clients won't be able to have the service from your DNS. Well, this only happens if you have a little machine or without many other countermeasures.

Othe reason they may be able to be considered as a security risk, it is they can be used as proxies to overload other servers.

How I verify if my DNS has recursion on?

Type the following command:

dig test.openresolver.com TXT @YOUR_DNS_IP

If your server has it on, you will have this output:

; <<>> DiG 9.10.2-P4 <<>> test.openresolver.com TXT @YOUR_DNS_IP
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22029
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;test.openresolver.com. IN TXT

;; ANSWER SECTION:
test.openresolver.com. 14400 IN TXT "open-resolver-detected"

;; Query time: 153 msec
;; SERVER: 192.168.7.57#53(YOUR_DNS_IP)
;; WHEN: dim déc 06 17:48:11 EST 2015
;; MSG SIZE rcvd: 74

If your server has it off, you will have this output:

; <<>> DiG 9.10.2-P4 <<>> test.openresolver.com TXT @YOUR_DNS_IP
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 46483
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;test.openresolver.com. IN TXT

;; Query time: 75 msec
;; SERVER: 45.63.69.211#53(YOUR_DNS_IP)
;; WHEN: dim déc 06 17:48:17 EST 2015
;; MSG SIZE rcvd: 50

How do I turn off Recursiveness in my DNS and how I protect it?

Each DNS server has its own way to deal with it. I will talk here only about Bind and PowerDNS.

Bind

Edit your named.conf file name and make sure you have something like this:

options {
    recursion no;
    additional-from-auth no;
    additional-from-cache no;
};

For sure you will have more options in the options block; just be sure at least these three are included. Don't forget to restart your daemon.

PowerDNS

PowerDNS architecture is very different from Bind. There are two main modules: PowerDNS and PowerDNS Recursor. PowerDNS Recursor is the responsible of resolving non-local zones. I will assume you have it up and running.

Edit your recursor.conf file and look for the allow-from parameter, you may have something like this:

allow-from=127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10

You will need to edit your pdns.conf file as well and look for the allow-recursion parameter, put something it fits your needs. The default value is 0.0.0.0/0 which it means everybody.

allow-recursion=192.168.1.0/24

Change this line to your needs and don't forget to restart your daemons.

Other countermeasures

There are many ways, as this is not a specific solution I will only list them with a little description.

• IPTables: you can only allow a specific set of IP's to query your DNS. If you can not do that, IPTables allows you a way to put a specific rate per IP. This means you will be able to allow, let's say 3 queries per second per IP, fourth request will be denied. Using IPTables is very fast and accurate, but it needs a little knowledge to set up the right rule.
• Snort in Inline mode: you can put specific DNS rules and block them before they arrive at the DNS server. The inline mode will intercept everything which it is good, but as it is in the middle of the path, a unconfigured, not tuned Snort may be slow or memory hungry and that will have side effects. If Snort goes down, because it is in inline mode, all  network communication will be stalled until it restarts.
• Snort with Snortsam: this is another approach, using Snort with Barnyard2 and Snortsam you can put your Snort as a sniffer (not inline mode) when an event triggers a rule, Barnyard2 will send a signal to Snortsam and it will put the offending IP in a quarantine. If Snorts goes down, network communications won't stop, but you must know that a Snort in sniffer mode may miss some packages.
• Turn on the DNS caching: Bind and PowerDNS have cache. Having a cache will save effort as the information is stored locally for a while. Caching is a double arm, as it may fire back; when you have a long TTL in your cache, and a zone changes its information you won't see it right away, you will need to wait for the cache to expire.

Enjoy!