Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Thursday August 18 2016, @05:45PM   Printer-friendly
from the doing-it-properly dept.

Sysadmins are making mistakes configuring and managing DNSSec, and it's leaving systems that should be secure open to exploitation in DNS reflection attacks.

That's the conclusion of Neustar, in a study released here and which found that of more than 1,300 DNSSec-protected domains tested 80 per cent could be used in an attack.

The domains in question had DNSSec deployed, and also responded to the DNS “ANY” query. The ANY request asks the responder to provide all information about a domain – the MX (mail server) records, IP addresses, and so on. An ANY request therefore returns a lot more information than a simple request for the domain's IP address.

[...] Neustar reckons on average, the poorly-configured DNSSec servers could amplify an attacker's traffic by 28.9 times; they turned an 80 byte query into a 2,313 response; and the biggest response they received from one of the protected servers was 17,377 bytes, 217 times the size of the query.

Unfortunately, all of this isn't a bug, it's a feature: even with DNSSec, the purpose of the system is to answer queries – so it's not a matter of applying a patch; it's about taking care of systems.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Informative) by NCommander on Thursday August 18 2016, @10:13PM

    by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Thursday August 18 2016, @10:13PM (#389763) Homepage Journal

    DNS already supports TCP based connections, specifically for things like zone transfer. Its just a little hit or miss on router support but I've seen both Windows and Linux do it. The major headache is TCP connections have a very long setup and teardown time (maybe 100-200 ms under ideal conditions), plus additional latency since its a positive acknowledgement system.

    Theoretically, this attack could be mitigated by simply refusing to serve DNSSEC records over UDP. DNSSEC (by design) doesn't protect the last mile, your computer isn't asking for RRSIG records, it trusts its resolvers are validating and checking that info on its behalf.

    Ultimately, the problem is not with DNS, its the fact that you can use UDP to mount a reflection attack trivially if you have raw socket access to forge headers. Windows blissfully didn't have SOCK_RAW out of the box for many many years until Windows 2000, and then removed it in XP SP 2 which makes it harder for botnets to spoof UDP traffic without installing a NDIS driver which is much much harder to do.

    --
    Still always moving
    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 0) by Anonymous Coward on Friday August 19 2016, @12:20AM

    by Anonymous Coward on Friday August 19 2016, @12:20AM (#389804)

    On top of that. If you are running a DNS server you should only serve your site. Letting others reflect off you may seem like a 'nice thing to do' but in the end just helps people who want to do nefarious things. Unfortunately its not the early 90s anymore :(. So the rule of thumb is if you are setting up a DNS server make sure reflection is on your side of the firewall. Then be sure you really want to do it. I set it up in my local network that way because I want caching and proxy server stuff. Having a local DNS server that caches helps speed things up decently.

    • (Score: 3, Informative) by NotSanguine on Friday August 19 2016, @12:39AM

      On top of that. If you are running a DNS server you should only serve your site.

      This assumes that you are not authoritative for a DNS domain. If your DNS server is authoritative for a zone that's exposed to the Internet, not allowing queries will certainly bock any reflection attacks using your DNS server, but it will also have the added beneficial effect of making the servers in your domain unresolvable. Good times!

      --
      No, no, you're not thinking; you're just being logical. --Niels Bohr