DNS amplification attacks have become pesky (see below for pointers on these kind of attacks). There’s an easy way to verify if there are nameservers on your network that allow recursive queries for the “world”
Do this from a machine outside of your network (if you’d launch it from a machine inside your network chances are high that your IP is part of an ‘allowed’ list in the NS-config, thus falsifying your results).
The tool to use is nmap. Nmap is a free and open source utility for network discovery and security auditing.
http://nmap.org/
Nmap allows for the use of scripts through the Nmap Scripting Engine. On a default install these scripts (that end in .nse) are installed in
/usr/local/share/nmap/scripts
The script we need is dns-recursion.nse. A recent version is in the nmap SVN. https://svn.nmap.org/nmap/scripts/dns-recursion.nse
The source reveals that the script probes for “www.wikipedia.org”. Change the script if you’d like to differentiate the requests in your logs.
The nmap command you need is
nmap -sU -p 53 -sV -P0 –script “dns-recursion” 1.2.3.4
-sU = UDP scan
-p 53 = only scan for port 53 (the “dns”-port)
-sV = Probe open ports to determine service/version info
-P0 = Treat all hosts as online
When the nameserver allows recursion, output similar to this will be returned:
PORT STATE SERVICE VERSION
53/udp open domain ISC BIND 9.7.0-P1
|_dns-recursion: Recursion appears to be enabled
Redirect the output of nmap to a file and then use grep to look for recursion. Note: as far as I could check, the XML or Normal output of nmap lose the nse script output.
DNS amplification attack pointers:
- http://technet.microsoft.com/en-us/security/hh972393.aspx
- http://www.isotf.org/news/DNS-Amplification-Attacks.pdf
- http://www.theinquirer.net/inquirer/news/1015743/dns-amplification-attacks-explained
Why having an open resolver is a bad idea:
- http://www.techrepublic.com/blog/security/ddos-attack-methods-and-how-to-prevent-or-mitigate-them/8523
- http://www.itworld.com/security/307178/open-dns-resolvers-increasingly-abused-amplify-ddos-attacks-report-says
- http://threatpost.com/en_us/blogs/attackers-turn-open-dns-resolvers-amplify-ddos-attacks-102412
Yeah, I just did an nmap with a -Pn attached to after a slow comprehensive scan. I personally do not like the idea that my Debian-Based OS (Not mentioning which OS, unless you E-Mail me) has this one port open. Now I have to see if this shows up on a remote scan out of paranoia (Wouldn’t be surprised). Anyhow, I don’t know how to close this port from being open and get it closed. I’m not hosting anything so I want as much protection as possible while online; very into anonymity. Just decided to mention this because most people think they don’t have a potential vulnerability. For example I just had to auto-remove CUPS because it ran as a server. May this server be hit with a CUPS exploit, and I were a business entity, with printers; one can maliciously make my multiple printer set ups waste all their ink and paper over an overnight hack, if they penetrate the root systems in the network. (Not difficult if you know how to remote scan with Wireshark and Nmap; a little network know how and an exploit procured in any sense may lead to potentially being hacked by any kind of hat-type hacker. UNIX is universal so obscurity is a myth. This is why major corporations use proprietary equipment and software, though they’re probably more vulnerable than they think also. Sorry for the long post but it’s stuff like this that’s important to know when being on the internet, for our own safety(s).
Would nmap do the scan asynchronously, so if you had a large range, it would just continuously send udp packets and collect the responses? Or what would be a better way of going about a quicker scan?
I would also recommend adding the –open option to only show the open dns resolvers, I also got some results with open|filtered which are false positives.
Indeed! I forgot about the –open ; it’s a good first filter for getting rid of false positives