O Restrict DNS Queries

A DNS server typically allows any client to connect to it and perform queries concerning its hosted domains. However, some open resolvers accept recursive queries for any domain. Although you should allow access to your local and trusted networks on your resolver DNS server, recursive and non-recursive queries should always be denied to external clients in order to prevent spoofing conditions or cache snooping.

An open resolver can also be used for DDoS attacks since a small UDP packet results in a much bigger reply, which can be directed to a spoofed client. The amplification factor of this attack, given a reasonable number of open resolvers, can be pretty severe.

If denying all queries for (or from) external zones, you can tweak the allow-recursion directive to allow only non-recursive queries from the outside. Whereas a successful recursive query makes your DNS fully resolve the asked-for domain name by further querying other DNS servers in the domain's tree on behalf of the client, a non-recursive query will make your server reply with a reference to the first DNS server in the trail (usually a root server or a top-level one).

In this example, you can see that a recursive query to 10.1.7.1 provides all the information you need in the reply:

$ dig www.google.com

<<>\> DiG 9.3.0 <<>\> @fuse.inversepath.com www.google.com global options: printcmd Got answer:

->\>HEADER<<- opcode: QUERY, status: NOERROR, id: 16374

flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 6, ADDITIONAL: 0

;; QUESTION SECTION: ;www.google.com.

;; ANSWER SECTION:

www.google.com. 604800

www.l.google.com. 30 0 IN A

www.l.google.com. 30 0 IN A

www.l.google.com. 30 0 IN A

IN CNAME www.l.google.com. 64.233.161.99 64.233.161.104 64.233.161.147

;; AUTHORITY SECTION:

l.

.google.

. com.

86400

IN

NS

g.

l.

.google.

com

l.

.google.

. com.

86400

IN

NS

a.

l.

.google.

com

l.

.google.

. com.

86400

IN

NS

b.

l.

.google.

com

l.

.google.

. com.

86400

IN

NS

c.

l.

.google.

com

l.

.google.

. com.

86400

IN

NS

d.

l.

.google.

com

l.

.google.

. com.

86400

IN

NS

e.

l.

.google.

com

;; SERVER: 6 9.60.119.224#53(fuse.inversepath.com)

Now you restrict recursive queries to a trusted access list:

acl "trusted" {

192.168.1.0/24; localhost;

options {

allow-transfer { xfer; }; allow-recursion { trusted; }; allow-query { trusted; };

Here's the output of the previous example. You can see that you are now referred to a root server instead:

$ dig www.google.com

; <<>\> DiG 9.3.0 <<>\> @fuse.inversepath.com www.google.com ;; global options: printcmd ;; Got answer:

;; ->\>HEADER<<- opcode: QUERY, status: NOERROR, id: 34444 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 13

;; QUESTION SECTION:

;www.google.com. IN A

;; AUTHORITY SECTION:

518398

IN

NS

M.

. ROOT'

-SERVERS

NET

518398

IN

NS

A.

. ROOT'

-SERVERS

NET

518398

IN

NS

B.

ROOT

-SERVERS

NET

518398

IN

NS

C.

ROOT

-SERVERS

NET

518398

IN

NS

D.

ROOT

-SERVERS

NET

518398

IN

NS

E.

ROOT

-SERVERS

NET

518398

IN

NS

F.

ROOT

-SERVERS

NET

518398

IN

NS

G.

ROOT

-SERVERS

NET

518398

IN

NS

H.

ROOT

-SERVERS

NET

518398

IN

NS

I.

ROOT

-SERVERS

NET

518398

IN

NS

J.

ROOT

-SERVERS

NET

518398

IN

NS

K.

ROOT

-SERVERS

NET

518398

IN

NS

L.

ROOT

-SERVERS

NET

;; ADDITIONAL SECTION:

A.

ROOT

-SERVERS

.NET.

604798

IN

A

198

41.0.4

B.

ROOT

-SERVERS

.NET.

604798

IN

A

192

228.79.201

C.

ROOT

-SERVERS

.NET.

604798

IN

A

192

33.4.12

D.

ROOT

-SERVERS

.NET.

604798

IN

A

128

8.10.90

E.

ROOT

-SERVERS

.NET.

604798

IN

A

192

203.230.10

F.

ROOT

-SERVERS

.NET.

604798

IN

A

192

5.5.241

G.

ROOT

-SERVERS

.NET.

604798

IN

A

192

112.36.4

H.

ROOT

-SERVERS

.NET.

604798

IN

A

128

63.2.53

I.

ROOT

-SERVERS

.NET.

604798

IN

A

192

36.148.17

J.

ROOT

-SERVERS

.NET.

604798

IN

A

192

58.128.30

K.

ROOT

-SERVERS

.NET.

604798

IN

A

193

0.14.129

L.

ROOT

-SERVERS

.NET.

604798

IN

A

198

32.64.12

M.ROOT-SERVERS.NET. 604798 IN A 202.12.27.33

;; SERVER: 6 9.60.119.224#53(fuse.inversepath.com) ;; WHEN: Sat Nov 4 17:36:13 2006 ;; MSG SIZE rcvd: 451

For a complete lockout, you can restrict all recursive and non-recursive queries to your trusted access list, and of course, you explicitly allow queries of your own zones:

options {

allow-transfer { xfer; }; allow-recursion { trusted; }; allow-query { trusted; };

zone "ourdomain.com" { type master; file "ourdomain.com"; allow-query { any; };

The example query now returns no results at all:

$ dig www.google.com

; <<>\> DiG 9.3.0 <<>\> @fuse.inversepath.com www.google.com ;; global options: printcmd ;; Got answer:

;; ->\>HEADER<<- opcode: QUERY, status: REFUSED, id: 31561 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION: ;www.google.com. IN A

;; SERVER: 6 9.60.119.224#53(fuse.inversepath.com)

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


Post a comment