DNS-server used in DDOS attack

Post Reply
mister_v
Posts: 137
Joined: Sat Jun 20, 2009 5:42 pm

DNS-server used in DDOS attack

Post by mister_v »

Hi,

I received a mail from my host provider
that my DNS server is used to attack other sites.

Is my server hacked?
What can I do about it?
Chris
Site Admin
Posts: 127
Joined: Mon Jul 21, 2008 9:45 am
Location: Leuven, Belgium
Contact:

Re: DNS-server used in DDOS attack

Post by Chris »

I think your host provider is referring to Domain Name Server (DNS) amplification attack.
This does not mean that your server has been hacked.
In short; a Domain Name Server (DNS) amplification attack is a distributed denial of service (DDoS) that uses normal DNS response traffic to overwhelm a victims server.

More information can be found on this site:
http://www.us-cert.gov/ncas/alerts/TA13-088A

your DNS server probably needs too reply on DNS request of your domain or the sub-domains.
like www.yoursite.com, mail.yoursite.com, ...
but not too find the ip-address of yahoo.com, fo example.

The easiest solution is to disable recursion,
so your server will not try too find the ip-address of domains it doesn't know.

Bind9
Add the following to the global options in /var/named/chroot/etc/named.conf

Code: Select all

options {
     allow-query-cache { none; };
     recursion no;
};

Microsoft DNS Server
In the Microsoft DNS console tool:
Right-click the DNS server and click Properties.
Click the Advanced tab.
In Server options, select the Disable recursion check box, and then click OK.

There are other options to limit the (mis)use of your DNS-server.
But this one should stop most of it.

you can test your DNS-server with dig:

Code: Select all

dig yoursite.com @ip-of-dns-server
should give you the ip-addres

Code: Select all

dig yahoo.com @ip-of-dns-server
should respond with a denied request.

Code: Select all

 WARNING: recursion requested but not available
mister_v
Posts: 137
Joined: Sat Jun 20, 2009 5:42 pm

Re: DNS-server used in DDOS attack

Post by mister_v »

Thanks,

I changed the config file and restarted the named-server
Post Reply