Re: Permitting recursion can allow spammers to steal name server resources

From: Greg A. Woods (woods_at_weird.com)
Date: 09/10/03

  • Next message: Liu Die Yu: "MSIE->BodyRefreshLoadsJPU:refresh is a new navigation method"
    Date: Wed, 10 Sep 2003 15:14:10 -0400 (EDT)
    To: Chris Brenton <cbrenton@chrisbrenton.org>
    
    

    [ On Tuesday, September 9, 2003 at 22:52:50 (-0400), Chris Brenton wrote: ]
    > Subject: Permitting recursion can allow spammers to steal name server resources
    >
    > _Executive Summary_
    > The default configuration of many domain name servers (DNS) can leave
    > you vulnerable to cache spoofing attacks

    Note such attacks can still come from within your "trusted" networks so
    I'm not sure there's too much point to discussing this problem in
    relation to allowing global recursion.

    Often those same servers which are the target of spammers will also be
    specifically designed to supply recursive caching DNS for vast numbers
    of customer machines, some of which may already be "owned" by spammers
    who have employed cracker tools for this very purpose.

    The real problem here of course lies with the registrars, just as you've
    described. All registrars really must make 100% certain that they're
    not being fooled by what may only be in a server's cache when they check
    that a server is authoritative for the zone being delegated to it.
    Perhaps this can be done by instituting a policy to revoke registrar
    licenses when they fail to implement such checks properly. After all
    this is a much more important security issue than it is an anti-spam
    issue.

    > as well as allow spammers to
    > steal resources from your servers.

    No kidding! ;-)

    > Next the spammer seeks out name servers on the Internet that have been
    > mis-configured to act recursively for anyone. Unfortunately, this
    > appears to be a fairly easy task as testing we performed showed that an
    > overwhelming majority of the exposed name servers on the Internet act
    > recursively.

    This is because there is tremendous utility in allowing arbitrary
    persons to query a cache -- the lack of this ability makes debugging
    certain kinds of DNS related problems very difficult since it turns a
    two-second job into something that can stretch into days while people
    play telephone tag and such. As I'll show below I don't think there's
    any need to employ such drastic measures as completely disabling
    recursive lookups from public networks -- only limiting their impact.

    Note that spammers will also simply (ab)use third party open DNS servers
    to resolve MX records for the domains they are spamming to. This is
    happening on an increasing frequency and while it's usually very easy
    for the operators of the abused server(s) to block the offending
    spammer, such things to take time to discover and diagnose and may
    trigger customer complaints and dissatisfaction in the mean time.

    I've been hoping to find time soon to implement response rate limiting
    for BIND such that only a very limited number of queries per minute will
    be answered for all non-trusted networks.

    In the mean time it may be sufficient to use traffic shaping mechanisms
    to limit the amount of abuse to open cache servers while still allowing
    normal debugging efforts to procede un-hindered.

    Of course all this depends on the registrars implementing better checks
    to guarantee that their domains are only ever delegated to truly
    authoritative nameservers. As I point out at the beginning this really
    has to happen somehow regardless.

    Thank you very much for raising this issue in such a well written report!

    -- 
    						Greg A. Woods
    +1 416 218-0098                  VE3TCP            RoboHack <woods@robohack.ca>
    Planix, Inc. <woods@planix.com>          Secrets of the Weird <woods@weird.com>
    

  • Next message: Liu Die Yu: "MSIE->BodyRefreshLoadsJPU:refresh is a new navigation method"

    Relevant Pages

    • RE: recursive DNS servers DDoS as a growing DDoS problem
      ... recursion is an issue ISPs can ignore, ... I don't think closing recursive dns servers is going to make squat ... As to the issue of dns flooding, it doesn't require open recursive servers. ... What is closing an open recursive server going to do for the ISP hosting it? ...
      (Bugtraq)
    • Re: Loss of Internet Access after Disabling Recursion in Windows 2003 External DNS
      ... but I do want for both External DNS boxes to get out to the ... If I disable recursion, I can't forward, which is fine by me. ... would these boxs get to the Internet for updates? ... it is not necessary for these DNS servers to ...
      (microsoft.public.windows.server.dns)
    • Re: Protecting bind from DNS cache poisoning!!!
      ... to know the steps to be followed to protect bind from DNS Cache poisoning. ... Don't allow recursion /at all/ for queries from the general public to ... your authoritative servers, nor permit authoritative servers to send ...
      (comp.protocols.dns.bind)
    • Do not use recursion on this domain
      ... I would like to know what you guys are thinking about the option below in DNS ... “Do not use recursion on this domain” on the DNS setting. ... Don’t let your internal servers roam the Internet looking for name servers.( ... or wherever we are forwarding for internet name ...
      (microsoft.public.windows.server.dns)
    • Re: Loss of Internet Access after Disabling Recursion in Windows 2003 External DNS
      ... but I do want for both External DNS boxes to get out to the ... If I disable recursion, I can't forward, which is fine by me. ... would these boxs get to the Internet for updates? ... it is not necessary for these DNS servers to ...
      (microsoft.public.windows.server.dns)