Stories
Slash Boxes
Comments

SoylentNews is people

Submission Preview

Link to Story

Running a DNSSec Responder? Make Sure It Doesn't Help the Black Hats

Accepted submission by Arthur T Knackerbracket at 2016-08-17 14:40:54
Security

Arthur T Knackerbracket [soylentnews.org] writes:

Story automatically generated by StoryBot Version 0.1.0a (Development).

Note: This is the complete story and will need further editing. It may also be covered by Copyright and thus should be acknowledged and quoted rather than printed in its entirety.

FeedSource: [TheRegister] collected from rss-bot logs

Time: 2016-08-17 07:04:27-17:00 UTC

Original URL: http://www.theregister.co.uk/2016/08/17/running_a_dnssec_responder_make_sure_it_doesnt_help_the_black_hats/ [theregister.co.uk]

Title: Running a DNSSec responder? Make sure it doesn't help the black hats

Suggested Topics by Probability (Experimental) : 20.0 science 14.5 hardware 12.7 OS 10.9 business 9.1 mobile 9.1 digiliberty 5.5 code 3.6 techonomics 3.6 technomics 3.6 security 3.6 careersedu 1.8 careers 1.8 breaking

--- --- --- --- --- --- --- Entire Story Below --- --- --- --- --- --- ---

Running a DNSSec responder? Make sure it doesn't help the black hats

Arthur T Knackerbracket has found the following story [theregister.co.uk]:

Sysadmins are making mistakes configuring and managing DNSSec, and it's leaving systems that should be secure open to exploitation in DNS reflection attacks.

That's the conclusion of Neustar, in a study released here [neustar.biz] and which found that of more than 1,300 DNSSec-protected domains tested 80 per cent could be used in an attack.

The domains in question had DNSSec deployed, and also responded to the DNS “ANY” query. The ANY request asks the responder to provide all information about a domain – the MX (mail server) records, IP addresses, and so on. An ANY request therefore returns a lot more information than a simple request for the domain's IP address.

And DNSSec returns bigger responses anyhow. As the Neustar report notes: “With digital hashed signatures and complex key exchanges, DNSSEC records are considerably larger than standard DNS”.

Neustar reckons on average, the poorly-configured DNSSec servers could amplify an attacker's traffic by 28.9 times; they turned an 80 byte query into a 2,313 response; and the biggest response they received from one of the protected servers was 17,377 bytes, 217 times the size of the query.

The test was conducted using recursive servers that weren't under Neustar's control.

As well as being a denial-of-service vector, if a domain is paying for DNS by the query, the company says this kind of attack can drive up their costs.

Unfortunately, all of this isn't a bug, it's a feature: even with DNSSec, the purpose of the system is to answer queries – so it's not a matter of applying a patch; it's about taking care of systems.

Hence the best advice is for operators to filter out the ANY request, and put abuse-detection mechanisms in place. ®

Original Submission