Last week one of my dearest customers was worried about having enabled recursiveness in his server. I think he does not understand very well what this means and why sometimes it is considered a security flaw. After discussing it with him, I promised him I would write an article explaining this. So here it is.
You should know he has hired me for the PowerDNS plugin with a Low Latency Algorithm. So far, the server works as expected.
Recursive DNS Flow
By having a recursive DNS it means the server will do all the related tasks and it will answer the final IP without any client interaction but the DNS request only. If you see the image, you will see the flow. I will explain it.
- The client (computer, IP phone) sends a DNS request for an IP to the configured DNS (Local DNS server).
- DNS will get the request. As we expect it does not host any local zone, it will ask for a root server where is the registrar of the TLD.
- The root server answers with the IP of the TLD server.
- DNS will request to the TLD server where the zone (inside-out.xyz) is hosted.
- TLD server will answer the IP of the name server. The name server is where you put your information, usually it is the server in your web hosting.
- DNS will ask the TLD server about the specific hostname query.
- The name server will answer that.
- The DNS server will forward back the answer to the client.
Why is this considered a Security Flow?
Well, this is sometimes an unfair question. Recursive DNS is not a security flaw by itself. It is the way they are used; having knives in your kitchen is not an issue, the issue is how you use them. This is the same situation with recursive DNSes.
The recursive DNS processing requires more processing. This means that if you are a target of a compromised machine that is flooding your DNS, you will have soon a DoS. Therefore, legitimate clients won't be able to have the service from your DNS. Well, this only happens if you have a little machine or without many other countermeasures.
The reason they may be able to be considered as a security risk, it is they can be used as proxies to overload other servers.
How do I verify if my DNS has recursion on?
Type the following command:
dig test.openresolver.com TXT @YOUR_DNS_IP
If your server has it on, you will have this output:
; <<>> DiG 9.10.2-P4 <<>> test.openresolver.com TXT @YOUR_DNS_IP
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22029
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;test.openresolver.com. IN TXT
;; ANSWER SECTION:
test.openresolver.com. 14400 IN TXT "open-resolver-detected"
;; Query time: 153 msec
;; SERVER: 192.168.7.57#53(YOUR_DNS_IP)
;; WHEN: dim déc 06 17:48:11 EST 2015
;; MSG SIZE rcvd: 74
If your server has it off, you will have this output:
; <<>> DiG 9.10.2-P4 <<>> test.openresolver.com TXT @YOUR_DNS_IP
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 46483
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;test.openresolver.com. IN TXT
;; Query time: 75 msec
;; SERVER: 45.63.69.211#53(YOUR_DNS_IP)
;; WHEN: dim déc 06 17:48:17 EST 2015
;; MSG SIZE rcvd: 50
How do I turn off Recursiveness in my DNS and how do I protect it?
Each DNS server has its way of dealing with it. I will talk here only about Bind and PowerDNS.
Bind
Edit your named.conf file name and make sure you have something like this:
options {
recursion no;
additional-from-auth no;
additional-from-cache no;
};
For sure you will have more options in the options block; just be sure at least these three are included. Don't forget to restart your daemon.
PowerDNS
PowerDNS architecture is very different from Bind. There are two main modules: PowerDNS and PowerDNS Recursor. PowerDNS Recursor is responsible for resolving non-local zones. I will assume you have it up and running.
Edit your recursor.conf file and look for the allow-from parameter, you may have something like this:
allow-from=127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10
You will need to edit your pdns.conf file as well and look for the allow-recursion parameter, put something that fits your needs. The default value is 0.0.0.0/0 which means everybody.
allow-recursion=192.168.1.0/24
Change this line to your needs and don't forget to restart your daemons.
Other countermeasures
There are many ways, but as this is not a specific solution I will only list them with a little description.
- IPTables: you can only allow a specific set of IPs to query your DNS. If you can not do that, IPTables allows you a way to put a specific rate per IP. This means you will be able to allow, let's say 3 queries per second per IP, fourth request will be denied. Using IPTables is very fast and accurate, but it needs a little knowledge to set up the right rule.
- Snort in Inline mode: you can put specific DNS rules and block them before they arrive at the DNS server. The inline mode will intercept everything well, but as it is in the middle of the path, an unconfigured, not-tuned Snort may be slow or memory-hungry and that will have side effects. If Snort goes down, because it is in inline mode, all network communication will be stalled until it restarts.
- Snort with Snortsam: this is another approach, using Snort with Barnyard2 and Snortsam you can put your Snort as a sniffer (not inline mode) when an event triggers a rule, Barnyard2 will send a signal to Snortsam and it will put the offending IP in a quarantine. If Snorts goes down, network communications won't stop, but you must know that a Snort in sniffer mode may miss some packages.
- Turn on the DNS caching: Bind and PowerDNS have a cache. Having a cache will save effort as the information is stored locally for a while. Caching is a double arm, as it may fire back; when you have a long TTL in your cache, and a zone changes its information you won't see it right away, you will need to wait for the cache to expire.
Enjoy!