Recently DNS Open Resolvers have been used in DDoS attacks aganist various organizations. This is not only a threat to the victim of the attack but also, bandwidth overage charges will apply if your server is participating in attacks without your knowledge. 

 

If you are reading this article because a ticket was opened for you in MyCP, the format for the report should look like this:

 

209.160.0.0 -> DNS-Open-Resolver – 2013-12-19 01:21:53,209.160.0.0,14361,US,HAWAII,HONOLULU,53,udp,mydomainname.com,1.3810,Microsoft DNS 6.0.6002 (1772487D)
 

It translates to this:

 

IP -> DNS-Open-Resolver – Timestamp, IP, ASN, CITY/STATE, PORT, PROTOCOL, HOSTNAME, AMPLIFICATION MINIMUM, DNS VERSION

 

Port 53 (DNS) – DNS servers should not allow recursion to the public. 
 

 

For BIND 9.x authoritative servers:

  options {       recursion no;       additional-from-cache no;   };

 

For Microsoft Windows Servers:

 

Using the Windows interface:

– Open DNS.
– In the console tree, right-click the applicable DNS server, then click Properties.

– Click the Advanced tab.
– In Server options, select the Disable recursion check box, and then click OK.

 

Follow up verification testing (from an un-trusted outside IP address):

 

From a Linux or Mac based machine from terminal –

 

[user@localhost ~]$ dig @IP.ADDRESS.HERE superb.net

 

From a Windows based machine from cmd.exe (as administrator) –

 

C:\Windows\system32\nslookup superb.net IP.ADDRESS.HERE

 

If you see:

 

;; ANSWER SECTION:superb.net.             274     IN      A       209.160.57.140 

 

Then the issue has not been resolved. 

 

If you see:

  • connection timed out; no servers could be reached
  • superb.net.             289     IN      A     [BLANKSPACE]

Or it pointing to the root nameservers:

 

;; AUTHORITY SECTION:

.                       30784   IN      NS      b.root-servers.net.

.                       30784   IN      NS      j.root-servers.net.

.                       30784   IN      NS      g.root-servers.net.

.                       30784   IN      NS      l.root-servers.net.

;; ADDITIONAL SECTION:

b.root-servers.net.     30784   IN      A       192.228.79.201

j.root-servers.net.     23583   IN      A       192.58.128.30

g.root-servers.net.     30784   IN      A       192.112.36.4

 

Then the issue has been resolved.

 

For additional information, please review the US-CERT published article. It outlines the overview, description, dectection, impact and common remedies for fixing this wide spread issue.

 

http://www.us-cert.gov/ncas/alerts/TA13-088A