Resolving issues with DNS Open Resolvers

Understanding and discovering DNS security issues

DNS (Domain Name System) is a vital protocol for Internet use, resolving textual, understandable domain names and information to numerical IP addresses - essentially making navigation possible. Put simply, DNS lookups involve the use of a DNS resolver, which queries various servers to establish addresses for sites, then resolving the information received.

While DNS is a fundamentally important part of the Internet, there are a couple of issues to be aware of. It’s possible for DNS servers to be left ‘open’, allowing anyone to use that server maliciously, creating spoofed queries, Resource Records and more.

This openness is often used as a means to generate various attacks: traffic querying the affected server can be sent to false, malicious sites (such as phishing pages), while a high volume of queries can be spoofed to cause a DDoS attack.

Checking whether your DNS server is open is relatively simple. If you’re using services from Exa, we’ll let you know about openness - we check servers on a monthly basis. For non-customers or anyone wanting a quicker check, there’s plenty of testers around, like this DNS Check from ThinkBroadband or The Measurement Factory DNS Checker

Closing DNS servers for security

There’s a wide range of different ways to improve DNS security, dependent on what products are being used. We’ve explained a couple of the most basic ways to close off a DNS server issue below:

First off, DNS generally runs from UDP port 53 - TCP is only used if the response is larger than 512 bytes or for tasks such as Zone Transfers which should be blocked from unauthorized IP’s.

The firewall installed on your server allows admins to block IPs outside of an approved selection, cutting off any illegitimate external traffic. To secure the DNS server in this way, just compile a list of authorised IP addresses and add the root server addresses.

Your list of client IP addresses can also be used to cut off recursive queries (wherein the server is told to keep querying until timeout or answer) for any address outside of an approved range. You’ll find example coding at this Open DNS Resolver guide.

While these instructions are designed to be relatively generic, covering a lot of areas, you can find more detailed information about particular cases on Cisco’s DNS Best Practices page, Microsoft’s guide to disabling recursive queries and other resources. It’s also worth taking a look through this Best Current Practices guide from the ITEF, which explores some more of the issues around DoS attacks.