Ce site est optimisé pour être consulté depuis un navigateur moderne dans lequel JavaScript est activé.

Qu'est-ce qu'un résolveur DNS ouvert et comment protéger mon serveur contre les abus ?

ayi

Je ne have le strongest background in computer security, mais yesterday one of mon company servers was shut down by our host.

C'est a server assigned a public IP où I host plusieurs web-service applications including websites et APIs. J'étais told that mon server "is running an open dns resolver qui is being used to relay le denial of service attack to an external entity."

What does this mean? How does this attack work? And how can I protect mon system depuis being abused like this?

In mon spécifique case, le server in question is on Windows Server 2012, et it is serving DNS for an Active Directory domain.

ayi

An "open DNS resolver" is a DNS server c'est willing to resolve recursive DNS lookups for anyone on le internet. C'est much like an open SMTP relay, in that le simple lack of authentication allows malicious 3rd parties to propagate leur payloads using votre unsecured equipment. With open SMTP relays, le problème est que they forward spam. With open DNS resolvers, le problème est que they allow a denial of service attack known as a DNS Amplification Attack.

The way this attack works is pretty simple - parce que votre server will resolve recursive DNS queries depuis anyone, an attacker can cause it to participate in a DDoS by sending votre server a recursive DNS query that will return a large amount of data, much larger than le original DNS request packet. By spoofing (faking) leur IP address, they'll direct this extra traffic to leur victim's computers à la place of leur own, et of course, they'll make as beaucoup de requests as fast as they can to votre server, et tout autre open DNS resolvers they can find. In this manner, someone avec a relatively small pipe can "amplify" a denial of service attack by using tous le bandwidth on leur pipe to direct a much larger volume of traffic at leur victims.

ArsTechnica did a decent article on the recent DNS Amplification DDoS attack against Spamhaus, et is worth a quick read to get le basics (and a good visual of le amplification).

The simplest way to protect votre system depuis being abused like this is to limit le addresses votre server will perform recursive lookups for to votre local subnets. (The specifics of qui depend on qui DNS server you're using, of course).

Par exemple, si I were using BIND 9, et wanted to simply prevent DNS recursion depuis outside addresses, I would use le suivant code in mon config:

options {
    directory "/var/named/master";
    allow-recursion { 127.0.0.1; 10.0.0.0/8; 192.168.0.0/16; 172.16.0.0/12; };

That line of code tells mon BIND server to seulement process recursive DNS requests for le local loopback address (which I guess I could/should set to le local loopback block, le whole /8) et le 3 Private IPv4 address spaces.

For Windows Server 2012, qui you say you're using, you have le options below.

1. Separate votre DNS server depuis votre IIS server.

At least in a perfect world, il y a no reason you need to be running DNS on le même box as IIS.
Put DNS on an internal box that n'est pas NATed, so le outside world ne peut pas get at it, et let IIS reside on le external-facing box that le rest of le world can get at. Vous pouvez use dual-homing ou firewall rules to selectively allow access to votre DNS server depuis votre IIS server.

2. Block external DNS requests avec a firewall, such as le built in Windows firewall.

To mon surprise, Windows DNS does pas allow you to restrict le addresses to qui recursive DNS requests are honored, so this actually le recommended method by Microsoft.

Sélectionnez le DNS rules (TCP et UDP), allez dans le Remote IP address section et add le subnets in use on votre LAN, as well as tout public-facing IP addresses of servers that need access to Active Directory. As avec le BIND example, IPv4 private address spaces are 127.0.0.0/8 10.0.0.0/8 192.168.0.0/16 et 172.16.0.0/12.

3. Disable recursion.

Je suis honestly pas sure what effect this will have on votre environment, depuis you n'ont pas really stated how DNS et AD are configured in votre environment, et accordingly, c'est le dernier option.

Open DNS Manager.
In le console tree, right-click le applicable DNS server, alors click Properties.
Where?
DNS/applicable DNS server
Click le Advanced tab.
In Server options, sélectionnez le Disable recursion check box, et alors click OK.
Since we have a multi-forest environment, et use conditional forwarders for that to work, Je suis pas going to check that box. Might be something for you to consider as well.