none
DNS root hints question

    Question

  • Hello,

    Appreciate your advise with the following question.

    Windows 2008 R2 SP1 acting as an authoritative DNS only (serving a couple of zones to the Internet, therefore reachable from the outside). Recursive DNS is turned off (hence no forwarders) and it's not used as a resolver. Am I right in the assumption that root hints could be wiped out completely?

    The reason I'm asking is that we seem to be affected by the amplification attack - I see quite a lot of 53/udp queries (~1mbps constant traffic) from random (most probably spoofed) IPs. Although recursive DNS is disabled the server still returns root hints if I query it for the domain it's not responsible for.

    Here is how tcpdump looks like:

    11:59:10.970363 27.116.37.195.29370 > x.x.x.x.domain:  41284+ [1au] ANY? anonsc.com. (44)
    11:59:10.970511 27.116.37.195.29370 > x.x.x.x.domain:  41284+ [1au] ANY? anonsc.com. (44)
    11:59:10.970540 27.116.37.195.29370 > x.x.x.x.domain:  41284+ [1au] ANY? anonsc.com. (44)
    11:59:10.970560 27.116.37.195.29370 > x.x.x.x.domain:  41284+ [1au] ANY? anonsc.com. (44)
    11:59:10.970579 27.116.37.195.29370 > x.x.x.x.domain:  41284+ [1au] ANY? anonsc.com. (44)
    11:59:10.971086 x.x.x.x.domain > 27.116.37.195.29370:  41284- 0/13/14 (662) (DF)
    11:59:10.971121 x.x.x.x.domain > 27.116.37.195.29370:  41284- 0/13/14 (662) (DF)
    11:59:10.971238 x.x.x.x.domain > 27.116.37.195.29370:  41284- 0/13/14 (662) (DF)
    11:59:10.971338 x.x.x.x.domain > 27.116.37.195.29370:  41284- 0/13/14 (662) (DF)
    11:59:10.971378 x.x.x.x.domain > 27.116.37.195.29370:  41284- 0/13/14 (662) (DF)

    Thank you.

    Friday, September 06, 2013 10:03 AM

Answers

  • Generally speaking, if the server is not doing recursive queries, then the root hints are not needed.

    See How DNS query works in the TechNet Library.

    As for the amplication attack question, my core response would be that if the server is not functioning as a resolver, why not simply block 53/UDP at the firewall? Except that it is. It must. How else would queries for uncached zone records be satisfied? It may not be functioning as a resolver for internal (local) clients, but it most certainly functions as as resolver for other DNS Servers on the Internet performing recursive queries to find the zone records hosted by this authoritative server that have been requested by the clients of those other resolvers.

    You might also consider using non-Windows secondary servers for publishing to the Internet. While this won't necessarily protect you from attacks, it will protect the authoritative server. As an example, I have a pair of FreeBSD BIND boxes that are set up as secondary servers; these are the publicly accessible servers. The authoritative zone holder is a Windows server, but the Windows server is not accessible from the Internet, only the secondary servers are.

    btw.... it seems that both 'NS' records for anonsc.com are pointing to the same IP Address. Tsk. Tsk. :-)

    Also, the PTR record seems to be missing for that IP Address.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    • Proposed as answer by benofthecloud Friday, September 06, 2013 7:41 PM
    • Marked as answer by nov1ce Monday, September 09, 2013 7:01 AM
    Friday, September 06, 2013 6:33 PM
  • I agree with Lawrence. If the authoritative server is a hostname server registered on the internet to only allow public resolution for your public domain name, yes, when you disable Recursion (under the Advanced tab), the roots are not needed.

    As for blocking UDP 53 as Lawrence indicated, the only thing I see with that is that initial DNS recursion is across UDP 53, then in a scenario with EDNS0 disabled, it will switch up to TCP 53 if the response is greater than 512 bytes. However, I haven't tested it in a scenario disabling UDP 53, but my take on that is resolution requires an extra step.

    The following diagram shows non-caching, secured resolvers in the DMZ with the internal DNS forwarding to them. However, if they are authoritative for your public zone, and assuming that your webservers are internal, then those servers are providing public resolution to the WAN IP of your firewall, which would not work for internal clients. So I assume in such a split scenario, that you have the public zone configured on your internal DNS servers that have the private IP of your webserver.

    Therefore in that scenario, you can configure forwarding from your internal DNS to another set of DNS servers such as below for internet name resolution to help mitigate amplification attacks. But host your publicly registered hostname servers as suggested by Lawrence.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by nov1ce Monday, September 09, 2013 7:01 AM
    Sunday, September 08, 2013 8:37 PM
  • Reducing the MaxCacheTTL just eliminates storing any cached queries for the TTL of any records that were resolved from the record's authoritative DNS server on the internet.

    For an authoritative DNS server that is just hosting your public zone data with recursion disabled, this value wouldn't have any relevance or meaning, since it won't be used.

    However, the two DNS servers that you are forwarding to that are not visible, are the ones that I would recommend setting it on.

    I hope that makes sense. :-)


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, September 09, 2013 1:51 PM

All replies

  • Generally speaking, if the server is not doing recursive queries, then the root hints are not needed.

    See How DNS query works in the TechNet Library.

    As for the amplication attack question, my core response would be that if the server is not functioning as a resolver, why not simply block 53/UDP at the firewall? Except that it is. It must. How else would queries for uncached zone records be satisfied? It may not be functioning as a resolver for internal (local) clients, but it most certainly functions as as resolver for other DNS Servers on the Internet performing recursive queries to find the zone records hosted by this authoritative server that have been requested by the clients of those other resolvers.

    You might also consider using non-Windows secondary servers for publishing to the Internet. While this won't necessarily protect you from attacks, it will protect the authoritative server. As an example, I have a pair of FreeBSD BIND boxes that are set up as secondary servers; these are the publicly accessible servers. The authoritative zone holder is a Windows server, but the Windows server is not accessible from the Internet, only the secondary servers are.

    btw.... it seems that both 'NS' records for anonsc.com are pointing to the same IP Address. Tsk. Tsk. :-)

    Also, the PTR record seems to be missing for that IP Address.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    • Proposed as answer by benofthecloud Friday, September 06, 2013 7:41 PM
    • Marked as answer by nov1ce Monday, September 09, 2013 7:01 AM
    Friday, September 06, 2013 6:33 PM
  • I agree with Lawrence. If the authoritative server is a hostname server registered on the internet to only allow public resolution for your public domain name, yes, when you disable Recursion (under the Advanced tab), the roots are not needed.

    As for blocking UDP 53 as Lawrence indicated, the only thing I see with that is that initial DNS recursion is across UDP 53, then in a scenario with EDNS0 disabled, it will switch up to TCP 53 if the response is greater than 512 bytes. However, I haven't tested it in a scenario disabling UDP 53, but my take on that is resolution requires an extra step.

    The following diagram shows non-caching, secured resolvers in the DMZ with the internal DNS forwarding to them. However, if they are authoritative for your public zone, and assuming that your webservers are internal, then those servers are providing public resolution to the WAN IP of your firewall, which would not work for internal clients. So I assume in such a split scenario, that you have the public zone configured on your internal DNS servers that have the private IP of your webserver.

    Therefore in that scenario, you can configure forwarding from your internal DNS to another set of DNS servers such as below for internet name resolution to help mitigate amplification attacks. But host your publicly registered hostname servers as suggested by Lawrence.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by nov1ce Monday, September 09, 2013 7:01 AM
    Sunday, September 08, 2013 8:37 PM
  • Thank you Lawrence, thank you Ace - it does help!

    My setup is exactly like in the diagram, except that DC1 and DC2 do not use DNS1/DNS2 as resolvers, but a pair of another DNS servers not visible from the outside. DNS1 and DNS2 are just used as authoritative DNS servers.

    OK, I'll go ahead with the deletion of root hints and if it doesn't reduce the traffic my last attempt would be to limit the allocated bandwidth for those two servers.

    I have a last small question: I guess setting MaxCacheTTL to 0 on DNS1/DNS2 doesn't make sense in this case, because recursive DNS is turned off?

    Thanks.

    Monday, September 09, 2013 10:56 AM
  • Reducing the MaxCacheTTL just eliminates storing any cached queries for the TTL of any records that were resolved from the record's authoritative DNS server on the internet.

    For an authoritative DNS server that is just hosting your public zone data with recursion disabled, this value wouldn't have any relevance or meaning, since it won't be used.

    However, the two DNS servers that you are forwarding to that are not visible, are the ones that I would recommend setting it on.

    I hope that makes sense. :-)


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, September 09, 2013 1:51 PM