Hardening DNS Against Reflection Attacks

Generally, the most prevalent types of attacks and the ones which are most likely to target a DNS infrastructure are reflection/amplification attacks (which generally use a DNS servers resources against other third-parties).  Understanding the attack-vector employed in most reflection attacks is necessary in order to understand how to harden an environment against these types of attacks.

In a typical DNS reflection attack, attackers send a large number of queries from a spoofed source address.  The address which is spoofed is typically that of the victim.  When the requests are received by the nameserver, all ensuing responses to these queries are directed back towards the spoofed IP of the victim.  The amplification factor comes into play in these types of attacks because the attacker will typically query for a record of a large size, typically that of a root record which by it’s very nature is very large in size.  By simply sending in small queries, on the order of around 90 Bytes, an attacker can typically get a multiplication factor of five times that of the original query.  This allows an attacker to use a smaller number of hosts in the botnet and cause considerably more impact than would otherwise be possible if these devices were sending traffic directly towards the victim.

Due to the fact that the purpose of this attack is to reflect packets back towards the victim, all of the source IPs of the DNS queries contain the same address.  This makes it fairly easy to spot a reflection attack utilizing your infrastructure.  A simple observation of a spike in DNS queries from a singular IP is a clear indication that this is going on.  One would think that these types of attacks can be mitigated fairly easily by implementing simple ACLs on routers to prevent the incoming queries from those spoofed IP, and in fact that is a method commonly used by network administrators to protect against these types of attacks.  However, most security experts suggest that the filtering should actually be implemented on the nameserver itself – in fact this has been considered an industry best practice for quite some time now.  The reason for this is that implementing an ACLs on a router is largely a reactive countermeasure which can only be deployed after the fact.  An administrator will still need to identify the target of the attack before filters can be put in place; furthermore these types of filters only serve to cause a legitimate Denial of Service when that particular victim actually attempts to query anything for which the nameserver is actually authoritative for.  As an alternative to ACLs, some proposed configurations below can be used to eliminate this problem in it’s entirety.

At the very onset of your investigation into the vulnerabilities of your DNS infrastructure and potential remedies one of the very first things a network administrator must determine is if the nameservers allow anyone on the outside world to query for root (.).  Using the example below, one can easily check to see if their nameserver responds with a root-referral when queried for root.  If you see something along these lines, you can be fairly certain your nameserver is responding with a root-referral:

/usr/bin/dig . NS @dns.example.com
 
; <<>> DiG 9.2.4 <<>> . NS @DNS.EXAMPLE.COM ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54368 ;; flags: qr rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13
 
;; QUESTION SECTION:
;. IN NS
 
;; ANSWER SECTION:
. 86400 IN NS A.ROOT-SERVERS.NET.
. 86400 IN NS B.ROOT-SERVERS.NET.
. 86400 IN NS C.ROOT-SERVERS.NET.
. 86400 IN NS D.ROOT-SERVERS.NET.
. 86400 IN NS E.ROOT-SERVERS.NET.
. 86400 IN NS F.ROOT-SERVERS.NET.
. 86400 IN NS G.ROOT-SERVERS.NET.
. 86400 IN NS H.ROOT-SERVERS.NET.
. 86400 IN NS I.ROOT-SERVERS.NET.
. 86400 IN NS J.ROOT-SERVERS.NET.
. 86400 IN NS K.ROOT-SERVERS.NET.
. 86400 IN NS L.ROOT-SERVERS.NET.
. 86400 IN NS M.ROOT-SERVERS.NET.
 
;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET. 86400 IN A 198.41.0.4
B.ROOT-SERVERS.NET. 86400 IN A 192.228.79.201
C.ROOT-SERVERS.NET. 86400 IN A 192.33.4.12
D.ROOT-SERVERS.NET. 86400 IN A 128.8.10.90
E.ROOT-SERVERS.NET. 86400 IN A 192.203.230.10
F.ROOT-SERVERS.NET. 86400 IN A 192.5.5.241
G.ROOT-SERVERS.NET. 86400 IN A 192.112.36.4
H.ROOT-SERVERS.NET. 86400 IN A 128.63.2.53
I.ROOT-SERVERS.NET. 86400 IN A 192.36.148.17
J.ROOT-SERVERS.NET. 86400 IN A 192.58.128.30
K.ROOT-SERVERS.NET. 86400 IN A 193.0.14.129
L.ROOT-SERVERS.NET. 86400 IN A 199.7.83.42
M.ROOT-SERVERS.NET. 86400 IN A 202.12.27.33
 
;; Query time: 43 msec
;; SERVER: www.example.com#53(www.example.com)
;; WHEN: Thu Nov 12 17:01:51 2009
;; MSG SIZE rcvd: 436

Normally, most Internet-facing authoritative nameservers should not respond to recursive third-party queries for root.  If an authoritative nameserver responds to queries for root with a root-referral, attackers will likely use your nameservers as an amplification vector to launch attacks.  It is better to remove the temptation altogether, by not allowing these in the first place.  Furthermore, instead of responding with the root-referral, nameservers should be configured to respond with REFUSED or SERVFAIL or another similar type of message.  The reason for this is simple – a REFUSED message is only on the order of around 50 Bytes.  If a countermeasure such as this is not employed, attackers can send in a relatively small spoofed query and will get roughly a 512 Byte response.  However, if we respond with a REFUSED message, the amplification factor is on the order of 1:1.  From an efficiency standpoint this does not provide much if any amplification, and therefore the attackers will simply look for other providers whom don’t apply such stringent security measures.

NOTE: Of course if you are in the business of providing recursive DNS service, that is an entirely different story – if that is the case, network administrators should take extra precautions by strictly enabling this function on the Recursive DNS servers (not the Authoritatives) and combining firewall-filters to limit recursive service to only IP blocks of paying customers.

While we’re on the subject, another current best practice in the industry is to apply a similar methodology to requests for records for which a given DNS Server is not authoritative for.  Some resolvers may respond to these types of requests by providing a root-referral, and in the worst cases a resolver may actually perform a recursive query on behalf of the original source.  An authoritative resolver should respond to any non-existent domain requests with either the REFUSED message or other similar type of message, rather than providing a root referral or performing a recursive query.  In fact, BCP 140 (Preventing Use of Recursive Nameservers in Reflector Attacks, RFC 5358) looked at this problem and concluded that sending REFUSED was the best general guidance that can be given.  While BCP 140 applies guidance to recursive servers, returning REFUSED to queries which are not within the namespace served by authoritative servers is entirely consistent with BCP 140.  You can generally find out if your nameservers allows for recursion or if it responds with a root-referral, by using a command such as the following:

/usr/bin/dig +recurs @yournameserver_ip www.facebook.com

If you see a response which looks like the large root-referral response above, or some other type of response other than a REFUSED or SERVFAIL, you should take steps to harden your resolver.  One can also look for an “RA” entry in the “Flags” section of the DNS response which should give you some indication as to whether the resolver allows for recursion.

In conclusion, there are several such steps which allow administrators to prevent from being used as an unwitting pawn in an attack against third-parties.  Firewall filters are effective, but are reactive in nature.  Therefore, it is recommended to follow some of the steps below in order to effectively harden your DNS infrastructure against reflection attacks.

SYNOPSIS – Steps to prevent a DNS infrastructure from being used for reflection/amplification type attacks:

  1. Disable querying for root on Authoritative resolvers, return REFUSED
  2. Filter queries to Recursives from only paying customers, via ACLs
  3. Apply BCP 140 or similar rules to cause any non-existent domain queries to respond with a REFUSED.

An excellent whitepaper entitled “Anatomy of Recent DNS Reflector Attacks from the Victim and Reflector Point of View” by Ken Silva, Frank Scalzo and Piet Barber covers this topic in more detail.

6 Replies to “Hardening DNS Against Reflection Attacks”

  1. I would strongly argue against using SERVFAIL as this states that the server is broken or misconfigured. Since you are advocating a specific configuration choice (and a good idea), returning REFUSED is much better. Having operated name servers since RFC 1034/1035 was released I continue to be surprised as how often they are misconfigured and would prefer that SERVFAIL only be used for genuine failures, not for cases like this where there is clear intention to configure the server to behave a certain way.

  2. This is the perfect blog for everyone who wishes to find out about this topic.

    You know a whole lot its almost hard to argue with you (not that I personally would want to… HaHa). You definitely put a new spin on a topic which has been written about for many years.

    Wonderful stuff, just great!

Leave a Reply

Your email address will not be published. Required fields are marked *