I've been conducting security scans, and a new one popped up for me:
DNS Server Spoofed Request Amplification DDoS
The remote DNS server answers to any request. It is possible to query the name servers (NS) of the root zone ('.') and get an answer which is bigger than the original request. By spoofing the source IP address, a remote attacker can leverage this 'amplification' to launch a denial of service attack against a third-party host using the remote DNS server.
General Solution: Restrict access to your DNS server from public network or reconfigure it to reject such queries.
I'm hosting my own DNS for my website. I'm not sure what the solution is here... I'm really looking for some concrete detailed steps to patch this, but haven't found any yet. Any ideas?
CentOS5 with WHM and CPanel.
If the name server is only authoritative (i.e. it's not also providing recursive service for your network), simply remove the "root hints" section from
/etc/named.conf.This typically looks something like this:
Authoritative servers don't need this zone.
Doing this should result in the server returning
REFUSEDrather than a copy of the root name servers to external clients.Also, as your server is authoritative only you should add:
in the main configuration block.
To prevent your system from being used as an "amplifier" for such an attack, you need to disable answers to all queries except your authoritative zones. To do so in bind9, you need two directives in named.conf:
Removing root hints zone from named.conf does not help, because there is a built-in hint zone which used if you don't include it explicitly in named.conf.