Nano Servers Inc - Enterprise Web Solutions
Call us: 1-347-414-9117
  1. Home
  2. Ask
  3. DNS Open Resolvers

DNS Open Resolvers

Recently DNS Open Resolvers have been used in DDoS attacks aganist various organizations. This is not only a threat to the victim of the attack but also, bandwidth overage charges will apply if your server is participating in attacks without your knowledge.

 

If you are reading this article because a ticket was opened for you in MyCP, the format for the report should look like this:

 

209.160.0.0 -> DNS-Open-Resolver - 2013-12-19 01:21:53,209.160.0.0,14361,US,HAWAII,HONOLULU,53,udp,mydomainname.com,1.3810,Microsoft DNS 6.0.6002 (1772487D)

It translates to this:

 

IP -> DNS-Open-Resolver - Timestamp, IP, ASN, CITY/STATE, PORT, PROTOCOL, HOSTNAME, AMPLIFICATION MINIMUM, DNS VERSION

 

Port 53 (DNS) - DNS servers should not allow recursion to the public.

 

For BIND 9.x authoritative servers:

  options {      recursion no;      additional-from-cache no;  };

 

For Microsoft Windows Servers:
 

 

Using the Windows interface:

- Open DNS.
- In the console tree, right-click the applicable DNS server, then click Properties.

- Click the Advanced tab.
- In Server options, select the Disable recursion check box, and then click OK.

 

Follow up verification testing (from an un-trusted outside IP address):

 

From a Linux or Mac based machine from terminal -

 

[user@localhost ~]$ dig @IP.ADDRESS.HERE nanoservers.net

 

From a Windows based machine from cmd.exe (as administrator) -

 

C:Windowssystem32 slookup nanoservers.net IP.ADDRESS.HERE

 

If you see:

 

;; ANSWER SECTION:nanoservers.net. 274 IN A 209.160.57.140

 

Then the issue has not been resolved.

 

If you see:

  • connection timed out; no servers could be reached
  • nanoservers.net. 289 IN A [BLANKSPACE]

Or it pointing to the root nameservers:

 

;; AUTHORITY SECTION:

. 30784 IN NS b.root-servers.net.

. 30784 IN NS j.root-servers.net.

. 30784 IN NS g.root-servers.net.

. 30784 IN NS l.root-servers.net.

;; ADDITIONAL SECTION:

b.root-servers.net. 30784 IN A 192.228.79.201

j.root-servers.net. 23583 IN A 192.58.128.30

g.root-servers.net. 30784 IN A 192.112.36.4

 

Then the issue has been resolved.

 

For additional information, please review the US-CERT published article. It outlines the overview, description, dectection, impact and common remedies for fixing this wide spread issue.

 

http://www.us-cert.gov/ncas/alerts/TA13-088A

DNS Open Resolvers Abuse/Policy Enforcement