DNS Recursion - Open DNS Servers

"On 2008 July 08, Tuesday, technology vendors from across the industry will simultaneously release patches for their products to close a major vulnerability in the underpinnings of the Internet. While most home users will be automatically updated, it's important for all businesses to immediately update their networks.

This is the largest synchronized security update in the history of the Internet, and is the result of hard work and dedication across dozens of organizations."

• 2008-07-08 - Multiple DNS Implementations Vulnerable to Cache Poisoning
  US-CERT National Cyber Alert System
  Technical Cyber Security Alert TA08-190B

"An attacker with the ability to conduct a successful cache poisoning attack can cause a nameserver's clients to contact the incorrect, and possibly malicious, hosts for particular services. Consequently, web traffic, email, and other important network data can be redirected to systems under the attacker's control."

Further Discussion at WebmasterWorld...

• 2008-07-08 - Serious flaw found in Domain Name System
  DNS at Risk From Multivendor Cache Poisoning

Previous DNS Recursion Coverage

On 2006 March 13, Monday, we posted a topic at WebmasterWorld concerning a threat that has been lying dormant for years and has now become a mainstream concern. It all has to do with your DNS servers and recursion, specifically allowing non-authoritative DNS queries. Most may not need to be concerned with this, but those who fail should definitely address the problem.

"One or more of your name servers reports that it is an open DNS server. This usually means that anyone in the world can query it."

Are your DNS Servers open for DNS Recursion? Run a DNS Report and find out.

• 2006-03-13 - DNS Recursion - Open DNS Servers
  Allowing DNS Recursion is like running an Open SMTP Relay. This is a WebmasterWorld Featured Home Page Discussion about DNS Recursion.

Open DNS Servers - Katrina of Internet Storms

• Fixing Open DNS Servers
  These instructions show you how to completely disable recursion, this is best practice. However, if you need to run a DNS server that is both authoritative and recursive/caching, you will need to check the DNS server documentation to find out how to enable recursive lookups only for your local network.
• The Continuing Denial of Service Threat Posed by DNS Recursion (.pdf)
  US-CERT (United States Computer Emergency Readiness Team) has been alerted to an increase in distributed denial of service (DDoS) attacks using spoofed recursive DNS requests.
  • 2006-03-30 - v2.0 Update (.pdf)
    US-CERT is encouraging wide dissemination of this paper and organizations that currently have DNS recursion enabled are encouraged to disable it if possible.

2008 News on DNS Recursion

• 2008-07-08 - Multiple DNS Implementations Vulnerable to Cache Poisoning
  US-CERT National Cyber Alert System
  Technical Cyber Security Alert TA08-190B

2006 News on DNS Recursion

• 2006-03-31 - DNS Amplification Attacks (.pdf)
  In early February 2006, name servers hosting Top Level Domain zones were the repeated recipients of extraordinary heavy traffic loads. Analysis of traffic by TLD name server operators and security experts at large confirmed that DNS packets comprising the attack traffic exhibited characteristics associated with previously attempted DDoS attacks collectively known as amplification attacks.
• 2006-03-31 - DNS Recursion Attacks - v2.0 Update
  US-CERT is encouraging wide dissemination of this paper and organizations that currently have DNS recursion enabled are encouraged to disable it if possible.
• 2006-03-30 - Banks Hit With New Spoofing Attacks
  Three Florida banks have had their Web sites compromised by hackers in an attack that security experts are calling the first of its type.
• 2006-03-29 - DNS Hackers Target Domain Registrars
  Network Solutions and Joker.com hit by DDoSsers. More to follow? Hackers have launched distributed denial of service attacks against the Domain Name System (DNS) servers of a brace of domain name registrars over recent days.
• 2006-03-26 - Domain Registrar Joker Hit By DDoS
  Domain registrar Joker.com says its name servers are under attack, causing outages for customers. More than 550,000 domains are registered with Joker, which is based in Germany.
• 2006-03-24 - DNS Servers Do Hackers Dirty Work
  Cyber criminals are using DNS servers, the phonebooks of the Internet, to amplify their assaults and disrupt online business.
• 2006-03-20 - SecuriTeam™ - DNS Amplification Attacks
  This paper outlines a Distributed Denial of Service (DDoS) attack which abuses open recursive Domain Name System (DNS) name servers using spoofed UDP packets.
• 2006-03-17 - DNS Amplification Attacks (.pdf)
  This paper outlines a Distributed Denial of Service (DDoS) attack which abuses open recursive Domain Name System (DNS) name servers using spoofed UDP packets. The risks involved with the recursive name server feature, as well as those of packet spoofing are well known, yet have been treated more as a theoretical issue.
• 2006-03-17 - DNS Recursion Leads to Nastier DoS Attacks
  A new kind of denial-of-service (DoS) attack has emerged that delivers a heftier blow to organisations' systems than previously seen DoS threats, according to VeriSign's security chief.
• 2006-03-13 - DNS Recursion - Open DNS Servers
  On 2006 March 13, Monday, we posted a topic at WebmasterWorld concerning a threat that has been lying dormant for years and has now become a mainstream concern. It all has to do with your DNS servers and recursion.
• 2006 March - DNS Cache Poisoning - Definition and Prevention (.pdf)
  DNS cache poisoning consists of changing or adding records in the resolver caches, either on the client or the server, so that a DNS query for a domain returns an IP address for an attacker’s domain instead of the intended domain.
• 2006-02-28 - Recursive DNS Servers as a Growing DDoS Problem
  The attack currently in the wild is a lot bigger and more complicated than this, but to begin, here is an explanation.
• 2006-02-10 - Payment Gateway StormPay Battling Sustained DDoS Attack
  Payment gateway StormPay is recovering from a distributed denial of service attack (DDoS) that has kept its web site offline for much of the past two days.
• 2006-02-02 - HP Tru64 UNIX BIND4/BIND8 DNS Cache Poisoning Vulnerability
  The vulnerability is caused due to an error in DNS BIND4 and BIND8 when they are configured to be used as the target name server for DNS forwarders. This can be exploited in DNS cache poison attacks to e.g. redirect DNS clients to malicious or spoofed websites.

2005 News on DNS Recursion

• 2005-10-25 - Old Software Weakening Net's Backbone
  Many Domain Name System servers are wrongly configured or running out-of-date software, leaving them vulnerable to malicious attacks.
• 2005-10-24 - 75-84% Provide Recursive Name Services
  New survey reveals more than 75 percent of authoritative name servers have an increased vulnerability to DNS Pharming Attacks.
• 2005-10-04 - The Sorry State of the Domain Name Game
  What are companies doing to overcome this visible weakness? Not much. Most will continue to let problems linger and experience hours of unplanned downtime each year. About 230,000 name servers, or roughly 10 percent of those scanned, were susceptible to DNS Cache Poisoning.
• 2005-08-17 - So You Think You're Safe from DNS Cache Poisoning?
  However, this certainly isn't a problem limited to DNS software. And the problem is much bigger than the canonical BIND software.
• 2005-08-03 - DNS Servers - An Internet Achilles' Heel
  Hundreds of thousands of Internet servers are at risk of an attack that would redirect unknowing Web surfers from legitimate sites to malicious ones.
• 2005-04-10 - Illustrating a DNS Cache Poisoning Incident
  A user types in www.example.com and two browser windows popped up. The correct web site briefly appeared, and then disappeared. www.example.com is a valid commercial software development company who's web server was obviously modified by someone not authorized to do so. Probably hacked.
• 2005-04-07 - DNS Cache Poisoning Update
  There seems to be other possible scenarios where cache poisoning can occur. When forwarding to another server, Windows DNS servers expects the upstream DNS server to scrub out cache poisoning attacks.
• 2005-04-03 - DNS Cache Poisoning Report; Increase in Port Activity
  It has come to our attention that the DNS servers for the hotel where the San Diego SANS conference is being held are possibly poisoned. The best recommendation we can offer until we can fix/correct this, is to use a public DNS server that is not vulnerable.

---

 

• SEO Search /
• SEO Jobs /
• SEO Tips /
• SEO Blog /
• Forums /
• SEO Testing /
• Tools