It always amazes me how many open recursive DNS servers there are in the world. An open recursive server is a DNS server that does recursive queries for ANYONE that queries them. Why is this bad? Well, for one they open you up to DNS reflector attacks (more on those in another post). They also open you to cache poisining attacks.
There is absolutely no reason to have an open recursive server. These usually exist for two reasons:
1) Inexperience - admins download and install the latest version of bind, and just install it and they are ready to go. They really don’t have any idea of the difference between a caching/recursive name server and an authoritative name server.
2) Laziness - An admin doesn’t want to have to figure out which IP’s should be able to use this recursive server, so they open them to the world.
Not only that, you combine an open recursive, with a company not following BCP 38, it becomes even more difficult to stop such an attack.
So sysadmins/network admins out there, two things:
1) Turn OFF open recursive servers. Only your customers need to use your recursive servers
2) Implement BCP 38
1 response so far ↓
1 System Advancements at the Monastery » Blog Archive » Just Stop, Listen, Think, Learn, and Repeat // Mar 22, 2008 at 9:58 pm
[...] way recently discussed by the fine folks at Google and Georgia Institute of Technology involves open recursive DNS servers. At the Network and IT Security Conference: NDSS 2008, David Dagon, Chris Lee, and Wenke Lee [...]
Leave a Comment