none
DNS Server Spoofed and Cache Errors RRS feed

  • Question

  • Hi

    Im receiving the following errors in my DNS logs, any help on how this could be resolved?

    DNS Server Cache Snooping Remote Information Disclosure - Plugin ID 12217
    DNS Server Recursive Query Cache Poisoning Weakness - Plugin ID 10539

    DNS Server Spoofed Request Amplification DDoS - Plugin ID 35450

    Would appreciate any advice on this

    Thanks

    Tuesday, May 22, 2018 10:34 AM

Answers

  • Hi,

    Thanks for your question.

    It is possible to be related to DNS Amplification Attacks when querying the remote name server for external names.

    If this is your internal nameserver, then the attack vector may be limited to employees or guest access if allowed. If you are probing a remote nameserver, then it allows anyone to use it to resolve external names. This allows attackers to perform cache poisoning attacks against this nameserver. If the host allows these recursive queries via UDP, then the host can be used to ‘bounce’ Denial of Service attacks against another network or system.

    There are several methods that might be used by DNS Amplification Attacks:

    1.Open recursion

    2.Source address spoofing

    3.Botnets

    4.Alware

    5.EDNS0

    6.DNSSEC enabled

    Here are articles explained these DNS error logs in detail and corresponding resolutions, please refer to the following thread.

    DNS Server Recursive Query Cache Poisoning Weakness

    https://www.tenable.com/plugins/nessus/10539

    Microsoft DNS Server vulnerability to DNS Server Cache snooping attacks

    https://support.microsoft.com/en-us/help/2678371/microsoft-dns-server-vulnerability-to-dns-server-cache-snooping-attack

    DNS Server Spoofed Request Amplification DDoS

    https://www.tenable.com/plugins/nessus/35450

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Here are some suggestions to prevent the server from DNS Attacks. Please try them to see if it could be resolved.

    1.Do not place open DNS resolvers on the Internet.

    2.Disable recursion.

    We can disable all recursion query as below. Select the following box on the DNS server.

    Or disable query to public DNS except our forwarders as below. Uncheck the following option for our DNS server.

    3.Prevent IP address spoofing by configuring Unicast Reverse Path Forwarding (URPF) on network routers.

    4.Deploy an intrusion prevention system (IPS) device or monitor DNSSEC traffic in some way.

    For more information, please refer to the article below.

    DNSSEC and DNS Amplification Attacks

    https://technet.microsoft.com/en-sg/security/hh972393.aspx

    Hope above information can help you. I look forward hearing your good news.

    Highly appreciate your effort and time. If you have any questions and concerns, please feel free to let me know.

    Best regards, 

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com



    Wednesday, May 23, 2018 5:53 AM

All replies

  • Hi,

    Thanks for your question.

    It is possible to be related to DNS Amplification Attacks when querying the remote name server for external names.

    If this is your internal nameserver, then the attack vector may be limited to employees or guest access if allowed. If you are probing a remote nameserver, then it allows anyone to use it to resolve external names. This allows attackers to perform cache poisoning attacks against this nameserver. If the host allows these recursive queries via UDP, then the host can be used to ‘bounce’ Denial of Service attacks against another network or system.

    There are several methods that might be used by DNS Amplification Attacks:

    1.Open recursion

    2.Source address spoofing

    3.Botnets

    4.Alware

    5.EDNS0

    6.DNSSEC enabled

    Here are articles explained these DNS error logs in detail and corresponding resolutions, please refer to the following thread.

    DNS Server Recursive Query Cache Poisoning Weakness

    https://www.tenable.com/plugins/nessus/10539

    Microsoft DNS Server vulnerability to DNS Server Cache snooping attacks

    https://support.microsoft.com/en-us/help/2678371/microsoft-dns-server-vulnerability-to-dns-server-cache-snooping-attack

    DNS Server Spoofed Request Amplification DDoS

    https://www.tenable.com/plugins/nessus/35450

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Here are some suggestions to prevent the server from DNS Attacks. Please try them to see if it could be resolved.

    1.Do not place open DNS resolvers on the Internet.

    2.Disable recursion.

    We can disable all recursion query as below. Select the following box on the DNS server.

    Or disable query to public DNS except our forwarders as below. Uncheck the following option for our DNS server.

    3.Prevent IP address spoofing by configuring Unicast Reverse Path Forwarding (URPF) on network routers.

    4.Deploy an intrusion prevention system (IPS) device or monitor DNSSEC traffic in some way.

    For more information, please refer to the article below.

    DNSSEC and DNS Amplification Attacks

    https://technet.microsoft.com/en-sg/security/hh972393.aspx

    Hope above information can help you. I look forward hearing your good news.

    Highly appreciate your effort and time. If you have any questions and concerns, please feel free to let me know.

    Best regards, 

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com



    Wednesday, May 23, 2018 5:53 AM
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, May 24, 2018 4:24 PM
  • Hi,
    Could the above reply be of help? If yes, you may mark it as answer, if not, feel free to feed back
    Best Regards,
    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, May 28, 2018 1:42 PM
  • Hi Michael

    Tried some of the advice you provided, thanks for the support managed to remediate some of them

    Thanks

    Tuesday, July 3, 2018 5:52 AM
  • Hi,

    Thanks for your reply.

    Please let us know if you need further assistance.

    If your question was answered appropriately. This includes any reply that was post by yourself or others. In doing so, it will benefit all community members who are facing similar issues. Your contribution is highly appreciated.

    Thanks for your support and understanding.

    Have a nice day!

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, July 3, 2018 6:13 AM