Almost every IT professional knows that an open recursive DNS server can be very dangerous but I’ve never seen any articles or posts which describe what will happen and how fast it may be utilized in an inappropriate way. These were interesting questions for me and I decided to do a small study and opened my DNS server for everybody on the Internet. The results were amazing. In this post you can read about the study.
A short overview of the DNS protocol and DNS based attacks.
DNS (Domain Name System) is used for transforming human readable domain names (e.g. ipvm.biz) into the machine usable form of IP-addresses (e.g. 126.96.36.199). IP addresses are used for communications in Internet. Other protocols like TCP or UDP run on top of the IP protocol. TCP/IP is a stateful protocol and UDP/IP is a stateless protocol.
Attackers use such basic principles for DNS based attacks:
- During a standard DNS resolving process UDP/IP protocol is used. Computers do not establish reliable (stateful) connection with a remote DNS server. They send a request and just wait some time for a response. Because UDP protocol is stateless hackers can spoof an IP-address in the IP packet. It is a good practice for ISPs to block such spoofed packets but unfortunately many ISPs do not follow it.
- The size of a response packet from DNS server usually is bigger than the size of a request. Protocol EDNS was developed to support big packet sizes up to 4Kb. EDNS is necessary for DNSSEC. This principle is used for amplification attack.
- Many network devices like improperly configured or hacked servers, home modems and routers provide recursive DNS services in local networks or on the Internet. Studies show that daily about 6 million open resolvers are available and accessible on the Internet all around the world. The table and the picture below were taken from https://dnsscan.shadowserver.org/ site which daily checks networks for open resolvers.
|Korea, Republic of||451,709|
I’ve personally checked one of my Internet provider’s /16 network (one of the major broadband ISPs in Moscow) and found 69 open recursive DNS servers, which were available on the Internet. Each such open DNS server could be a broadband router or a desktop/laptop.