{"id":378,"date":"2013-10-26T16:23:15","date_gmt":"2013-10-26T16:23:15","guid":{"rendered":"http:\/\/blog.shineservers.com\/?p=378"},"modified":"2013-10-26T16:23:15","modified_gmt":"2013-10-26T16:23:15","slug":"securing-dns-ddos-amplification-attacks","status":"publish","type":"post","link":"https:\/\/www.shineservers.com\/2013\/10\/26\/securing-dns-ddos-amplification-attacks\/","title":{"rendered":"Securing DNS against DDOS Amplification Attacks"},"content":{"rendered":"<p>When you run a DNS server on your dedicated server, it\u00a0<em>will\u00a0<\/em>be the target DNS amplification attacks.\u00a0 To prevent these attacks from succeeding and using up your bandwidth (which you will pay for), you need to configure your DNS server not to answer recursive queries.<\/p>\n<h1>Check if your server is vulnerable<\/h1>\n<p>You can send a DNS query to your server, e.g. &#8220;thatserver.dedicated.com&#8221; using\u00a0<strong>dig<\/strong>\u00a0or\u00a0<strong>nslookup<\/strong>.<\/p>\n<pre>dig @thatserver.dedicated.com www.isc.org<\/pre>\n<p>Alternatively:<\/p>\n<pre><strong>nslookup<\/strong><\/pre>\n<pre>&gt; server thatserver.dedicated.com<\/pre>\n<pre>&gt; isc.org<\/pre>\n<pre>Non-authoritative answer:<\/pre>\n<pre>Name:\u00a0\u00a0\u00a0 isc.org<\/pre>\n<pre>Address: <strong>1.1.1.1<\/strong><\/pre>\n<p>If you receive an answer that includes an answer of the IP address of www.isc.org, then your server is vulnerable, because it did the work of finding out the answer and presenting it to you.<\/p>\n<h1>Simple solutions<\/h1>\n<p>Often enough, if you are running a DNS server, you probably don&#8217;t need it.\u00a0 Turn it off: stop the service, remove the software.<\/p>\n<p>You only need a DNS server on your system for one of the following purposes:<\/p>\n<ul>\n<li>Your DNS server is configured with zone files for domains that you are hosting, and you have asked a DNS registrar (e.g. enom.com) to point domains to your DNS server.\u00a0 You will recognise these terms if you have done this.\u00a0 You do not need DNS recursion for this function.<\/li>\n<li>You are unhappy with the quality of the DNS resolver you are using and would rather implement this function yourself.\u00a0 If this is why you have a DNS server, you do not need to answer external queries.\u00a0 You can protect the server with a firewall.<\/li>\n<li>You are providing zone files for a private domain, e.g. as some part of Active Directory.\u00a0 In this case you can limit your responses to only those systems that have an interest in that private domain, i.e. members of the Active Directory system.<\/li>\n<li>You are competing with OpenDNS and Google&#8217;s DNS recursor.\u00a0 If you are doing this, you must implement appropriate rate limits, which is an exercise to the reader.<\/li>\n<\/ul>\n<h1>Secure named (bind) on Linux<\/h1>\n<p>Add this to the &#8220;options&#8221; section of\u00a0<strong>\/etc\/named.conf<\/strong>\u00a0:<\/p>\n<pre>\u00a0\u00a0\u00a0 recursion no;\n\u00a0\u00a0\u00a0 additional-from-auth no;\n    additional-from-cache no;<\/pre>\n<p>Then restart named so that it will use the new secure options:<\/p>\n<pre>\u00a0\u00a0\u00a0 \/etc\/init.d\/named restart<\/pre>\n<p>For detailed information see\u00a0<a title=\"http:\/\/www.cymru.com\/Documents\/secure-bind-template.html\" href=\"http:\/\/www.cymru.com\/Documents\/secure-bind-template.html\">http:\/\/www.cymru.com\/Documents\/secure-bind-template.html<\/a><\/p>\n<h1>Secure Microsoft DNS server<\/h1>\n<p>If you have installed or enabled Exchange then you have implicitly turned on DNS, which by default runs as a recursive service and can be horribly attacked.\u00a0 Usually you can just firewall the DNS service.<\/p>\n<p>Run this command:<\/p>\n<pre>\u00a0\u00a0\u00a0 dnscmd . \/Config \/NoRecursion 1<\/pre>\n<p>Or follow this procedure:<\/p>\n<pre>\u00a0\u00a0\u00a0 Start | Administrative Tools | DNS (DNS manager)<\/pre>\n<pre>\u00a0\u00a0\u00a0 Right click DNS server | \n        Properties | \n        Advanced | \n        Server options | \n        Disable recursion -&gt; Yes, OK<\/pre>\n<p>Unfortunately, it is\u00a0<strong>not<\/strong>\u00a0possible to prevent the Microsoft DNS server from replying with cached values, so your non-recursive DNS server will provide a small amount of useful traffic amplification for attackers.\u00a0 Where possible, add a firewall rule that blocks incoming traffic from unauthorised clients towards port 53\/UDP (and port 53\/TCP for good measure).<\/p>\n<h1>IPtables rules for Linux<\/h1>\n<p>If your DNS server is used only by the machine on which you are running it, you can block external queries as follows:<\/p>\n<pre>iptables -A  INPUT -p udp -m udp --dport 53 -i ! lo -j DROP<\/pre>\n<p>These iptables firewall rules will to prohibit excessive\u00a0<strong>ANY<\/strong>\u00a0queries to a non-recursive DNS:<\/p>\n<pre>iptables -A  INPUT -p udp -m udp --dport 53 \\\n  \u00a0-m string --hex-string \"|0000ff0001|\"  --algo bm --from 48 --to 65535 \\\n   -m recent --set --name dnsanyquery  --rsource<\/pre>\n<pre>iptables -A INPUT -p udp -m udp --dport 53 \\\n    -m string --hex-string  \"|0000ff0001|\" --algo bm --from 48 --to 65535 \\\n   -m recent --rcheck  --seconds 60 --hitcount 5 --name dnsanyquery --rsource \\\n   -j DROP<\/pre>\n<p>If you for some reason have to run an open DNS resolver, you can limit rate limit the rate at which you will accept queries:<\/p>\n<pre>iptables -A INPUT -p udp --dport 53 -m hashlimit \\\n--hashlimit-name DNS --hashlimit-above 20\/second --hashlimit-mode srcip \\\n--hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP<\/pre>\n<p>If you know what the above means you can install these rules in your system.<\/p>\n<h1>Reference information<\/h1>\n<p>You can read more about this here:<\/p>\n<ul>\n<li><a href=\"http:\/\/www.publicsafety.gc.ca\/prg\/em\/ccirc\/2009\/av09-011-eng.aspx\">http:\/\/www.publicsafety.gc.ca\/prg\/em\/ccirc\/2009\/av09-011-eng.aspx<\/a>\u00a0&#8211; securing your server<\/li>\n<li><a href=\"http:\/\/blog.cloudflare.com\/deep-inside-a-dns-amplification-ddos-attack\">http:\/\/blog.cloudflare.com\/deep-inside-a-dns-amplification-ddos-attack<\/a>\u00a0&#8211; what the attacker is trying to do<\/li>\n<li><a href=\"http:\/\/technet.microsoft.com\/en-us\/library\/cc771738.aspx\">http:\/\/technet.microsoft.com\/en-us\/library\/cc771738.aspx<\/a>\u00a0&#8211; fixing Microsoft DNS<\/li>\n<li><a href=\"http:\/\/www.cymru.com\/Documents\/secure-bind-template.html\">http:\/\/www.cymru.com\/Documents\/secure-bind-template.html<\/a>\u00a0&#8211; fixing Linux DNS<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>When you run a DNS server on your dedicated server, it\u00a0will\u00a0be the target DNS amplification attacks.\u00a0 To prevent these attacks from succeeding and using up your bandwidth (which you will pay for), you need to configure your DNS server not to answer recursive queries. Check if your server is vulnerable You can send a DNS [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[60],"tags":[144],"class_list":["post-378","post","type-post","status-publish","format-standard","hentry","category-linux","tag-securing-dns-against-ddos-amplification-attacks"],"acf":[],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.shineservers.com\/wp-json\/wp\/v2\/posts\/378","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.shineservers.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.shineservers.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.shineservers.com\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.shineservers.com\/wp-json\/wp\/v2\/comments?post=378"}],"version-history":[{"count":0,"href":"https:\/\/www.shineservers.com\/wp-json\/wp\/v2\/posts\/378\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.shineservers.com\/wp-json\/wp\/v2\/media?parent=378"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.shineservers.com\/wp-json\/wp\/v2\/categories?post=378"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.shineservers.com\/wp-json\/wp\/v2\/tags?post=378"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}