locked
Protecting Windows DNS Server from being abused for DNS amplification attacks RRS feed

  • Question

  • As suggested in the Server Manager forum, I try my luck in this forum.

    I have a Win2008R2 Server with DNS services installed. The server is configured not to allow recursive queries from clients.

    However when sending such a query, the server sends back a list of root hints as response. While the shortest possible query is 45 bytes long, the corresponding answer is 476 bytes long. A similarly configured Bind server just refuses the query, with the reply packet being the same size as the query packet (ie both 45 bytes).

    In a DNS amplification attack scenario, this translates to an amplification factor of (476/45)=10.6 for a Windows server even with recursion disabled, as opposed to a factor of 1 for the Bind server.

    Is there any way to make the Win2008R2 server refuse recursive queries altogether and thus prevent it from serving as an "amplifier" in such scenarios?

    Wednesday, April 10, 2013 8:05 AM

Answers

All replies

  • What capacity or role is this server and its DNS service?

    Is it a DC or member server, or is it a stand alone hosting public records only for your company's resources?

    Is this a PCI Compliancy requirement?

    Does the server have internet access, and that's what you're trying to prevent?

    I understand that the roots are returned. Since you are not using recursion, then the Roots are not needed, then just delete them.

    Let's try the following:

    • Delete all the root-hints.
    • Disable forwarding.
    • Set the parameter MaxCacheTTL = 0  (Click here for a how-to)
    • Restart the service.

    -

    More info:

    W2003 DNS cache snooping vulnerability for PCI-DSS compliance
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/67e9189b-606a-40d2-9944-8b4c7d084017/

    Windows 2008 Svr DC/DNS -> PCI Compliance
    http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/a1a00347-7b79-4041-89bb-2a09dd499256

    -

    And from: http://www.experts-exchange.com/Networking/Protocols/DNS/Q_27074917.html

    "... you will still receive UDP packets, querying for root, which should be blocked by FIREWALL.
    Read here how these attacks work: http://www.securiteam.com/securityreviews/5GP0L00I0W.html

    Read here how to block spoofed packets: http://www.faqs.org/rfcs/bcp/bcp38.html

    -

    Otherwise, if the above doesn't help, you may need to go with BIND, if it fulfills your requirements.

    -


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by S Marco Thursday, April 11, 2013 7:18 AM
    Wednesday, April 10, 2013 10:51 PM
  • High level architecture of reading root hints is as follows

    Server 2008 and above loads the dns information from AD DS and if the DNS server is hosted on DC , the zones gets enumerated from the active directory including the root hints. If the dns is not hosted on the domain controller - it then reads the data from Cache.dns  ( c:\windows\system32\dns) - ( which is the reason why Ace was asking about "Is it a DC or member server, or is it a stand alone hosting public records only for your company's resources?" )

    Ace : I think if Marco disables recursion on the DNS server , should serve his purpose I believe

    Thursday, April 11, 2013 4:51 AM
  • I'm not entirely sure, because he said he already did, and queries for any zones not authoritive, are returning a list of the roots. I don't have a 2008 R2 test box that I can shut off recursion and delete the roots handy to test it, but I think if Marco just deletes the roots, restart DNS, (which will of course clear the cached roots on that server even if a DC), there will be no roots to return. I wanted to test it, but I can't at the moment.

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, April 11, 2013 5:26 AM
  • Hi ,

    sorry I missed "The server is configured not to allow recursive queries from clients"

    To validate this, can you tell us what you see in this specific packet ( I repro in my lab )
    Recursion available : server can do recursive Queries

    After Disabling

    The above specifies that its disabled and cant do recursive

    Thursday, April 11, 2013 7:04 AM
  • Hi Ace,

    Thanks for your response. The server in question is a DC, and it is reachable over the internet since it does host part of our DNS which needs to be accessible from the whole world. We are not aiming for PCI compliance., and forwarding is already disabled.

    So if I understood everything correctly, I should not delete the root hints since this is a DC, and rejecting recursive queries altogether (as BIND does) does not seem to be possible with Win2008R2. I hope that this has been improved in Win2012...

    The reason I want to change the server's behavior is that it triggered an alarm of our ISP's IDS. I was told that our server had been abused for a DNS amplification attack (probably the one on Spamhaus), and when investigating the issue, I found out what I wrote above.

    I had a look at how Microsoft does it on their public DNS servers and was surprised to find out that they even completely allow recursive queries on all of their servers (ns[1-5].msft.net). I am pretty sure this was not the case a couple of days ago. Never mind.

    Anyway, thank you again for the help.

    Thursday, April 11, 2013 7:18 AM
  • Hi Sainath,

    As I wrote above, the server is a DC, which is why I don't want to strip the root hints. Recursion already is disabled, however this still results in an amplification factor of around 10. At least this is less than what could be achieved by a completely open resolver. Still I believe it would be a much cleaner way to make the server really disallowing recursion by setting the "Recursion Available" flag in its response to zero, without returning anything.

    Thursday, April 11, 2013 7:25 AM
  • It's ok to delete the roots, since from what I understand, you are not allowing users internet resolution, nor anyone else to use your server. Just an FYI, the action of disabling recursion means you want your DNS server to just be a content only serving nameserver. Many companies do that. But that also means the server itself can't resolve internet names, even for somethign minor as getting WIndows Update (well, not really minor, just using the term loosely).

    I also don't agree with using a DC as an internet public content hosting DNS server. My recommendations is to use two separate DNS servers (the registrar requires two anyway for hostname servers hosting public records), whether stand alone Windows server (not joined), or BIND. And to secure the DNS servers, perform the steps I mentioned above, and it will satisfy the ISP. And your users will have internet access, if that is ok.

    Look at the picture below. The two DNS servers in the DMZ are using Roots to resolve internet names.

    -

    Here's a better idea. Using the diagram below as a basis, and instead of re-drawing the diagram for you, you can setup something like this, but run the steps I mentioned on the DMZ DNS servers, and instead of forwarding from the internal servers to the DMZ servers, forward to your ISP's DNS or any other reliable DNS on the internet, such as 4.2.2.3 and 4.2.2.2.

    Click here for full image.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, April 11, 2013 2:54 PM
  • Hi Ace,

    OK, I think I'll go with stripping down the root hints. Our current setup is almost exactly the same as you depicted, with the only differences that the DMZ servers are running Bind in our environment and a few publicly accessible zones are run on the DCs. However I can adapt that to our needs.

    And you're right of course, the recursion flag actually *is* set to zero even in the root hints responses, sorry I have overlooked that.

    Thank you and cheers,

    marco

    Thursday, April 11, 2013 3:39 PM
  • If you already have BIND servers in the DMZ, I would remove all publicly accessed zones from your DCs to them. THis will eliminate any possible backdoor to your DCs.

    And as long as the bit is set to 0, you're fine. That was what Sainath was referring to.

    And if I understand the whole topology correctly, and correct me if I'm wrong, that you don't want to provide internet access to your users?

    If you are providing internet access, how are you going about it?


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, April 11, 2013 9:06 PM
  • I have the same problem and deleted all the root-hints, but they reappeared after a while. How can I remove them permanently ?
    Monday, October 17, 2016 9:00 AM
  • I have the same problem and deleted all the root-hints, but they reappeared after a while. How can I remove them permanently ?

    You must delete the hints from multiple locations. The link below will explain more. 

    https://support.microsoft.com/en-us/kb/818020/ 


    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Proposed as answer by KJaensch Friday, September 27, 2019 9:21 AM
    Tuesday, October 18, 2016 2:31 AM
  • I removed all LDAP Active Directory entries from

    CN=System,CN=MicrosoftDNS,DC=RootDNSServers

    but they still appear after installation of the monthly security updates and the reboot after that.

    Friday, December 1, 2017 9:47 AM
  • Thanks. I removed CACHE.DNS and the LDAP Active Directory entries and now the root-hints do not appear anymore.
    Friday, September 27, 2019 9:20 AM