Seite 1/12

Close Open-Resolver

Customer/Project: CCC

Version/Date: 1.0 19.08.2013

Author(s): green.ch Authors

Seite 2/12

1 Content

1 Content ................................................................................................................................ 2 2 General Information .............................................................................................................. 3

2.1 Purpose of this document ................................................................................................ 3 2.2 How does a DNS-Amplification Attack work? ...................................................................... 3 2.3 Counter-measures .......................................................................................................... 4

2.3.1 What are PC-Zombies and how can one protect their PC ............................................... 4 2.3.2 Deactivate Open Resolver ......................................................................................... 4 2.3.3 Check Server oder DNS connection ............................................................................ 5

3 Close Open Resolver ............................................................................................................. 6 3.1 DSL Modem/Router ......................................................................................................... 6

3.1.1 Close Open Resolver with Zyxel P660 (Similar with other Zyxel devices) ......................... 6 3.1.2 Close Open Resolver with Fritz!Box 7390 (Workaround) ................................................ 7

3.2 Windows DNS Server ..................................................................................................... 10 3.3 Bind DNS Server ........................................................................................................... 12

Seite 3/12

2 General Information

2.1 Purpose of this document

Open DNS Servers in the internet pose a high risk. Through so-called DNS Amplification Attacks the open DNS-Servers are misused for Attacks on any desired target. This causes damage to the victims. In addi-tion, the net-infrastructures are unnecessarily burdened. Therefore it is necessary, that the open DNS-Servers are either closed or that the IP-Range, which re-spond to the requests, are restricted.

This document explains how to configure the DNS-Server so that it can no longer be misused by an at-

tacker.

2.2 How does a DNS-Amplification Attack work?

In a combination of IP-Spoofing and open recursion the attackers carry out a DNS-Amplification DDos attack thusly:

1. The attacker collects a „Zombie-Army“. These consist mostly of compromised PCs in the internet.

2. In the Zone-File of his own (or hacked) Name-Server he writes an Overhead, which generates Answer-Packages as large as possible.

3. The attacker commands his „Zombies“ to carry out a continuous DNS-Request of the manipulated Zone-File. The request first sends the Zombies to an open DNS-Server. The Zombies use the IP of the to-be-attacked target as the sender IP-address.

4. If the open DNS-Server has not yet sent a request to the compromised Zone-File, it will then be

carried out. The DNS-Server will take the result (the Overhead) into its cache.

5. The open DNS-Server now thinks that it is sending the answer back to a Zombie. However, be-cause the IP was fake (IP-Spoofing), the answer is sent to the victim.

6. Now the victim is being spammed with unnecessarily large answer-packages. The large DNS-answers delivered in several IP-packages to the victim and then there they have to be put to-gether again. Thereby it A) Increases the computing load B) prevents, that the victims recognise the DNS-attack quickly and initiate counter-measures.

The results are devastating. Dependant on the counter-measures and the robustness of the target-DNS-Server, the functionality of the DNS-Server will be strongly limited or, in the worst case, stopped. Ser-

Seite 4/12

vices, for which the Name-Resolutions were provided by the DNS Server, are no longer accessible. As well as repair work, this creates economic damages to the victim.

2.3 Counter-measures

Unfortunately, it is not possible to generally prevent such attacks. However, an attacker can be deprived of his „tools“. This can be applied at two points.

1. At the Zombie – Botnet 2. At the Open-Resolvers

2.3.1 What are PC-Zombies and how can one protect their PC

A Zombie-Botnet usually consists of a composite of infected computers. Every computer, that is connect-ed to the internet, can be infected with malware of viruses. Once the computer is infected, it will become a Zombie and follow the commands of its „Master“. In the case explained here it is in connection with a DNS Amplification attack. By regularly scanning one’s computer for viruses and malware, with a current anti-virus program, one

can easily counteract this. In addition, one can prevent a virus attack by not opening any unknown at-tachments in e-mails and by only surfing on trustworthy sites.

2.3.2 Deactivate Open Resolver

Open Resolvers are DNS systems, which are operated consciously or unconsciously by internet-users. These do not necessarily have to be DNS Servers. There are also DSL-Modems which work as Open-Resolvers in the standard-configuration. (Example: ZyXEL P66R-D1).

DNS Servers such as BIND or the Windows DNS Server can also be configured as Open Resolver. To repair the problems, the Recursions by the DNS Servers must be switched off. In addition, it should defined for each DNS Server which IP-range is valid for DNS-requests (for example only from own net-work). This will prevent strangers abusing the Open Resolver.

With modems, which work as Open Resolvers, the function can gerenally be switched off in the configura-tion.

Seite 5/12

2.3.3 Check Server oder DNS connection

With a simple trick, any user can test themselves whether their Server or DSL-device is an Open Resolv-

er. NOTE: The test computer must not be located in the same network as the DNS server. Take the test by an independent Internet access.

1. Identify the IP-address which you want to check. With a Server, this should be known. With a DSL-connection you should be able to see it on the website www.wieistmeineip.de .

2. Open the Windows Commad Processor (CMD).

3. Enter the following commands in the command fields: a) Nslookup –q=all (Enter)

b) Server <die ermittelte IP Adresse> (Enter) Example: Server 8.8.8.8 c) green.ch (Enter)

4. If you receive an answer similar to Figure 3, you very probably have an Open-Resolver in your

system

Seite 6/12

5. If you receive a Time-Out such as shown in the Figure below, there isn’t an Open Resolver being operated.

3 Close Open Resolver

3.1 DSL Modem/Router

Should your DSL-Modem operate as an Open-Resolver, please consult the instructions for your device. The following is an example with a Zyxel Modem (P660R).

3.1.1 Close Open Resolver with Zyxel P660 (Similar with other Zyxel devices)

The settings für the Zyxel P660 includes a DNS Server open towards the internet. You can close the open DNS Server in the web-console under „Advanced - Remote MGMT – DNS“. Proceed as follows:

1. Open a browser and enter 192.168.1.1 in the address field.

2. Log in with your username and password. If you haven’t changed the password, the following standard values should work.

Username: admin Password: 1234

3. Then, go to „Advanced - Remote MGMT – DNS“ and set the „Access Status“ from WAN to LAN.

4. Click on „Apply“ to save the settings.

Seite 7/12

3.1.2 Close Open Resolver with Fritz!Box 7390 (Workaround)

As soon as one deactivates the NAT with a Fritz!Box 7390 in the network settings, the Fritz!Box 7390

operates as an Open Resolver. Should be NAT settings need to stay deactivated, you can close the Open Resolver with the following Workaround:

1. Open your browser and entert he IP of your Fritz!Box 7390. The standard IP of the Fritz!Box 7390 is 192.168.178.1.

2. Log into the console with password.

3. Use this opportunity to check the Firmware version and if necessary update it. This step is optio-nal, however it is recommended!

4. Switch the console to Expert-Mode. For this, click on „View: Standard“.

Then, the line should look like this:

Seite 8/12

5. Now, click on „Internet Account Information“ and choose the tab „DNS-Server“. Choose „Use

other DNSv4-Server “ and enter the IP 255.255.255.255 in the fields „Preferred DNSv4-Server“ and „Alternative DNSv4-Server“. Click on „Apply”, to save the settings.

The second option to close your Open Resolver, is to reactivate the NAT.

1. Log into the console of Fritz!Box as described in the previous instructions and activate the Expert-Mode.

2. Then, go on „Home Network Network Network settings“ and click on „IPv4-Addresses“.

Seite 9/12

3. Untick the box for „Disable NAT“ and click on OK to apply the changes.

Seite 10/12

3.2 Windows DNS Server

1. Open the „Server Manager“

2. Choose the DNS-Server (right mouse-click) and go to „Properties“

Seite 11/12

3. In the tab „Advanced“ check the box for „Disable recursion (also disables forwarders)”

4. In the tab „Interfaces“, define which IP-addresse are valid for DNS-requests.

Seite 12/12

3.3 Bind DNS Server

Complete instructions will be refused. The configuration of Bind is very complex. Therefore only two tipps will be given on how to make an open Bind9 Server a little more secure.

The settings have to be entered in the file named.conf.options .

1. Should you not need recursion, simply switch this off. This done by enterering the following in the named.conf.options: recursion no;

Please do not forget to restart the service after saving the changes. In Debian and Ubuntu one

does this with the command /etc/init.d/bind9 restart. Pay close attention to the syntax in named.conf.options! A small type error and the service will refuse to restart.

2. Limit the external access to your DNS-Server. This is done by entering the following in the named.conf.options: allow-recursion { 192.168.1.0/24; 80.1.1.1; }; recursion yes; This means, that only computers from the defined internal or external network can receive a re-

cursive answer from the DNS Server. The IP-addresses need to be adapted according to your configuration.