Re: Permitting recursion can allow spammers to steal name server resources
From: Greg A. Woods (woods_at_weird.com)
Date: Wed, 10 Sep 2003 15:14:10 -0400 (EDT) To: Chris Brenton <firstname.lastname@example.org>
[ On Tuesday, September 9, 2003 at 22:52:50 (-0400), Chris Brenton wrote: ]
> Subject: Permitting recursion can allow spammers to steal name server resources
> _Executive Summary_
> The default configuration of many domain name servers (DNS) can leave
> you vulnerable to cache spoofing attacks
Note such attacks can still come from within your "trusted" networks so
I'm not sure there's too much point to discussing this problem in
relation to allowing global recursion.
Often those same servers which are the target of spammers will also be
specifically designed to supply recursive caching DNS for vast numbers
of customer machines, some of which may already be "owned" by spammers
who have employed cracker tools for this very purpose.
The real problem here of course lies with the registrars, just as you've
described. All registrars really must make 100% certain that they're
not being fooled by what may only be in a server's cache when they check
that a server is authoritative for the zone being delegated to it.
Perhaps this can be done by instituting a policy to revoke registrar
licenses when they fail to implement such checks properly. After all
this is a much more important security issue than it is an anti-spam
> as well as allow spammers to
> steal resources from your servers.
No kidding! ;-)
> Next the spammer seeks out name servers on the Internet that have been
> mis-configured to act recursively for anyone. Unfortunately, this
> appears to be a fairly easy task as testing we performed showed that an
> overwhelming majority of the exposed name servers on the Internet act
This is because there is tremendous utility in allowing arbitrary
persons to query a cache -- the lack of this ability makes debugging
certain kinds of DNS related problems very difficult since it turns a
two-second job into something that can stretch into days while people
play telephone tag and such. As I'll show below I don't think there's
any need to employ such drastic measures as completely disabling
recursive lookups from public networks -- only limiting their impact.
Note that spammers will also simply (ab)use third party open DNS servers
to resolve MX records for the domains they are spamming to. This is
happening on an increasing frequency and while it's usually very easy
for the operators of the abused server(s) to block the offending
spammer, such things to take time to discover and diagnose and may
trigger customer complaints and dissatisfaction in the mean time.
I've been hoping to find time soon to implement response rate limiting
for BIND such that only a very limited number of queries per minute will
be answered for all non-trusted networks.
In the mean time it may be sufficient to use traffic shaping mechanisms
to limit the amount of abuse to open cache servers while still allowing
normal debugging efforts to procede un-hindered.
Of course all this depends on the registrars implementing better checks
to guarantee that their domains are only ever delegated to truly
authoritative nameservers. As I point out at the beginning this really
has to happen somehow regardless.
Thank you very much for raising this issue in such a well written report!
-- Greg A. Woods +1 416 218-0098 VE3TCP RoboHack <email@example.com> Planix, Inc. <firstname.lastname@example.org> Secrets of the Weird <email@example.com>