By Kurt Seifried (kurt@seifried.org)

Bind 9.4.0 will include default configuration directives that prevent DNS reflection/amplification attacks by default. What are DNS reflection or amplification attacks you ask? Read on.

Basically if an attacker requests certain record types the server in question will return a very large amount of data, for example requesting the “TXT” record for AOL.com results in over 300 bytes of actual data plus all the overhead of the DNS and network protocols, resulting in around a half kilobyte of data, for a single DNS request. So what good is this? Well if an attacker can connect to the victim’s DNS server and make requests for data through it the resulting data returned can overwhelm a network connection. Alternatively, because DNS is primarily based on the UDP protocol for making requests attackers can also spoof DNS servers, allowing them to direct large amounts of traffic at arbitrary hosts on the Internet.

In effect this provides attackers with a very easy facility to amplify the amount of bandwidth they have available, and to direct that traffic at arbitrary systems. As well because DNS is a core protocol it is rarely firewalled, and inside core networks it is almost never firewalled, making it a very attractive vehicle for attacks.

Now the funny thing is (you can laugh or you can cry, I choose to laugh) is that fixing this issue on your servers won’t make you immune from attacks. You may not be used to execute attacks, but you can still be made the victim of them. Of course if everyone were to secure their DNS infrastructure this problem largely wouldn’t exist.

Notice how well this problem has been solved by email administrators when addressing spam being sent from systems that should be secured against such activity.

This is where the new default settings for Bind 9.4.0 come in. By default Bind will only allow cache queries and recursive queries from localhost (127.0.0.1) and localnets (for example if your machine is attached to 10.1.2.0/255.255.255.0 that subnet would be allowed to make queries). Of course these configuration settings can be applied right now to your named.conf configuration file:

allow-recursion {
“example-acl”;
127.0.0.1;
10.1.2.0/24;
};

allow-query {
“example-acl”;
127.0.0.1;
10.1.2.0/24;
};

Preventing you from adding to the problem. Going forwards we can only hope that like open SMTP relays that these vulnerable DNS servers will be shunned and otherwise encouraged to correct their configurations and make the Internet a safer place.