none
DNS server spoofed request amplification DDOS RRS feed

  • Question

  • hi

    i have a windows 2012 server installed with exchange 2013

    I have disable recursive in my DNS server, however when i do a vulnerability scan i still receive this :

    DNS server spoofed request amplification DDOS

    Description,

    The remote dns server answer to any request. it is possible to query the name server of the root zone and get an answer that is bigger than original request.

    it says, restrict access to your DNS server from public network or reconfigure it to reject such queries - how do i do this?

    Friday, July 15, 2016 8:20 AM

Answers

  • Hi frustrated,

    >I have disable recursive in my DNS server, however when i do a vulnerability scan i still receive this:DNS server spoofed request amplification DDOS

    There are several methods that might be used by DNS Amplification Attacks:

    1. Open recursion (which have been disabled by you);

    2. Source address spoofing;

    3. Botnets;

    4. Malware;

    5. EDNS0;

    6. DNSSEC enabled;

    So, it's not enough to just disable recursion to prevent DNS Amplification Attacks.

    Here are some suggestions to prevent the server from DNS Amplification Attacks:

    1. Do not place open DNS resolvers on the Internet;

    2.Prevent IP address spoofing by configuring Unicast Reverse Path Forwarding (URPF) on network routers;

    3.Deploy an intrusion prevention system (IPS) device or monitor DNSSEC traffic in some way.

    You may learn the detailed information in the following article:

    https://technet.microsoft.com/en-sg/security/hh972393.aspx

    (Besides, since Security forum is more related with certificates, I'll move this post to DNS forum, then you'll get better help.)

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.



    Monday, July 18, 2016 2:11 AM
    Moderator

All replies

  • Hi frustrated,

    >I have disable recursive in my DNS server, however when i do a vulnerability scan i still receive this:DNS server spoofed request amplification DDOS

    There are several methods that might be used by DNS Amplification Attacks:

    1. Open recursion (which have been disabled by you);

    2. Source address spoofing;

    3. Botnets;

    4. Malware;

    5. EDNS0;

    6. DNSSEC enabled;

    So, it's not enough to just disable recursion to prevent DNS Amplification Attacks.

    Here are some suggestions to prevent the server from DNS Amplification Attacks:

    1. Do not place open DNS resolvers on the Internet;

    2.Prevent IP address spoofing by configuring Unicast Reverse Path Forwarding (URPF) on network routers;

    3.Deploy an intrusion prevention system (IPS) device or monitor DNSSEC traffic in some way.

    You may learn the detailed information in the following article:

    https://technet.microsoft.com/en-sg/security/hh972393.aspx

    (Besides, since Security forum is more related with certificates, I'll move this post to DNS forum, then you'll get better help.)

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.



    Monday, July 18, 2016 2:11 AM
    Moderator
  • Hi Anne,

    Thanks for your reply. 

    I had implemented DNSSEC, my client(PC) need to have their DNS point to AD server in order to ping to my mail server(Exchange 2013). Is that normal?

    About, 

    1. Do not place open DNS resolvers on the internet -- > what does it mean actually. I do not really understand.

     P.S., i deleted root hints, would that work?

    Monday, July 18, 2016 6:05 AM
  • Hi Frustrated IT,

    >I had implemented DNSSEC, my client(PC) need to have their DNS point to AD server in order to ping to my mail server(Exchange 2013). Is that normal?

    Yes, you can deploy DNSSEC.

    Actually, I think the message you receive when you do a vulnerability scan may indicates the potential vulnerabilities, if everything works well right now, then you do not need to care much about it.

    It's also related with the tool you use to do the scan, if you are using a third-party tool to do the vulnerability scan, then the detailed scan policies are decided by the developer.

    Best Regards,

    Anne

     


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, July 18, 2016 6:34 AM
    Moderator
  • Hi Anne,

    Thanks for the reply.

    1. In regards to DNSSEC, right now, if my client PC(joined to office domain) is out of the network, it is unable to ping to my exchange server. Is it due to DNSSEC that is causing it?.


    Monday, July 18, 2016 7:06 AM
  • Hi Frustrated IT,

    >it is unable to ping to my exchange server

    Ping IP address or ping FQDN of the exchange server? What is the DNS server used on the PC and what is the result of nslookup exchangeserver?

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, July 18, 2016 7:17 AM
    Moderator
  • ok here is my set up (example)
    Domain is abc.local

    1. one AD server 10.10.10.1 (with DNSSEC implmented in one of the forward lookupzone)

    the forward lookupzone is my exchange forward lookupzone

    2. one exchange server 10.10.10.2

    3. several PC 10.10.10.150 - 200

    Example internal network of 10.10.10.0

    a. when my PC is joined to abc.local. And when out of office network, they are unable to ping to FQDN of the Exchange server but external IP is possible

    my nslookup is able to show the correct IP address


    Monday, July 18, 2016 8:27 AM
  • Hi Frustrated IT,

    >when my PC is joined to abc.local. And when out of office network, they are unable to ping to FQDN of the Exchange server but external IP is possible

    Do you mean the domain joined PC is out of the private network?

    If nslookup shows the private IP address of the exchange server, and your network structure do not allow outside traffic into private network, then you will unable to ping the exchange server.

    Are you in this situation?

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, July 20, 2016 8:55 AM
    Moderator
  • yes, my domain joined pc when out of private network cant ping to exchange server when out of network


    Thursday, July 21, 2016 2:26 AM
  • Hi Frustrated IT,

    If so, then the reason why you can't ping the exchange sever may due to you can't access private IP address directly through external network.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, July 21, 2016 2:31 AM
    Moderator
  • Hi Anne,

    yep, but the funny thing is, non domain joined PC are all able to ping.

    It is only when they joined domain

    Thursday, July 21, 2016 3:14 AM
  • Hi Frustrated IT,

    You need to check which DNS server do domain-joined PC use, and which DNS server do non-domain joined PC use. Check what IP address does nslookup exchange resolve to on domain joined DNS server and non-domain joined DNS server.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, July 21, 2016 3:23 AM
    Moderator
  • Hi Anne,

    all the non domain joined pc are able to resolve to my exchange external ip

    If, my domain joined PC cant resolve, what may be the issue?

    Thursday, July 21, 2016 3:34 AM
  • Hi Feustrated IT,

    This verifies my view, non-domain joined PC resolve to the external IP address of the exchange server, so they can ping it.

    If domain joined PC resolve the exchange server to private IP address, then it may related with the domain joined PC use the internal DNS server.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, July 21, 2016 4:07 AM
    Moderator
  • Hi Anne,

    How can i make it in such a way that domain joined PC do not use internal DNS server when out of network?

    Friday, July 22, 2016 2:50 AM
  • Hi Frustrated IT,

    How do these PC get IP configurations when out of internal network.

    If these PCs use DHCP server in external network, then you may configure DHCP option 006 with external DNS server, then when PCs in external network to obtain IP settings from DHCP server, they will get DNS address with external one;

    You may also manually configure DNS settings on NIC TCP/IP properties:

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, July 22, 2016 2:58 AM
    Moderator
  • Hi Anne,

    I tried configuring DNS at TCP/IP, it didnt work at all.

    For domain joined PC ( in a external network)

    I tried pinging my Exchange FQDN, it still shows ping request could not find host mail.abc.com
    But if i ping exchange public IP, it could ping

    For Non domain joined PC ( in the same external network)

    able to ping FQDN and external IP of exchange.

    Friday, July 22, 2016 3:19 AM
  • Hi Frustrated IT,

    Please post an ipconfig/all result both on non-domain PC and domain-joined PC here.

    And post an nslookup exchangeserver result on non-domain joined PC and domain joined PC

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Friday, July 22, 2016 3:23 AM
    Moderator
  • Hi Anne,

    Thank you for your help. I was told i cant reveal my ip address. can i just partially cover them?

    Friday, July 22, 2016 4:13 AM
  • Hi Frustrated IT,

    Yes, you can.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, July 22, 2016 5:37 AM
    Moderator
  • Friday, July 22, 2016 5:45 AM
  • Hi Frustrated IT,

    You may make non-domain joined clients use the same DNS settings with domain joined clients, check if it could work.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, July 27, 2016 9:46 AM
    Moderator