Home

Don't Leave Yourself Open to DNS Hacking

Truth to tell, I missed this last week, but having suffered a DNS hacking problem myself, was trolling around for information on the problem. Pageoneresults put up an easy to follow "idiots guide" at WMW to checking whether you have an open DNS server problem. My advice to everyone who has not checked their dns servers, is to do so now.

Quote:
Are you aware of and/or are you doing anything about this? I'm in the process now of discussing all of this with my server administrators and want to make the changes to eliminate that failure on the DNS Report. Anytime I see red on that report, the hair on my neck rises. Many of the issues we see here at WebmasterWorld can be traced back to DNS Issues so it is important that you keep a regular eye on what your DNS is up to!

- Y! MyWeb

Agreed

As noted in that thread though, they don't actually hack your dns, they just use it's services. (i.e. your nameserver responds to dns requests - they don't actually get into your system).

Basically if you're running DNS servers for your own sites, your nameservers should only respond to requests for your own sites unless the request is from a local or authorized user. If someone external to you requests the dns info for a site that you don't handle, you should decline the request. What you should not be doing is responding to external requests for dns info for someone else's sites.

FWIW, Bind/named - what's run on many or most linux systems, seems to be defaulted on to this behaviour and needs to be manually tweaked to stop it.

By wheel at Mar 24 2006 - 18:43

wow..that only took TWO YEARS

Dan Kaminsky demonstrated this live at DEFCON two years ago.... it's not just that they use your services. They can store small amounts of information in your DNS cache, and use your DNS service to deliver it upon request.

Think that's not a big deal? The demo I saw used distributed DNS storage like this to move a 4Gig DVD around in a p2p fashion, one DNS record at a time. It was also demonstrated as a means of distributing live audio.. "streaming" it through everybody's contributed DNS cache because they had been so kind to make it available and give it such a high priority for attention (not firewalled, dedicated servers, not monitored, etc).

One of many links

By John Andrews at Mar 24 2006 - 18:48

Thanks John

That's a different story if they can use it for something like that - I didn't see that in the thread. Puts a different spin on it, I've got someone making sure my nameservers are locked up tight right now.

By wheel at Mar 24 2006 - 21:41

keep an eye on traffic *levels*

Dan's talk was one of the most entertaining I had seen in a long time. Quite "impressive".

The bottom line I came away with was to add DNS traffic *level* monitoring a.s.a.p., and move towards shutting down recursive lookups. Increases in traffic levels would be obvious if you were being abused.

Since your networks might depend on the recursive lookups, it is best to evaluate before just shutting it off.

By John Andrews at Mar 25 2006 - 02:45