IPv6 DNS Open Resolvers

 

Together with LACNIC’s R+D department, LACNIC CSIRT is carrying out the “Open DNS Resolvers with IPv6” project to understand the current situation in the region, identify open resolvers, and proactively warning and recommending a possible correction to the configuration of this service.

Open DNS Resolver servers are very negative, both for the organization with the open service as well as for Internet security in general. This type of server is used as a vector for DDoS amplification attacks, as they allow small queries to cause much larger responses. Thus, a DNS server becomes a very powerful traffic magnifier: amplified responses can be directed to a specific IP address, which receives the entire volume of traffic and becomes unable to provide any services. In this type of attacks, it is not even necessary for the attacker to control the victim’s hardware.

A recursive DNS server should only respond to queries from clients that are within its own network, rejecting any others.


How to solve this issue

We strongly recommend reconfiguring DNS/Resolver servers. A few ways to do this is listed below:

* * Respond only to your clients and not to queries coming from IP addresses outside your network (in BIND, this is done by defining a limited group of computers in the “allow-query” rule). For example:

options {
allow-query {
192.168.196.0/24;
2001:db8::/32;
localhost;
} // end of allow-query
} // end of options

*Serve only domains that are part of your authoritative zone (in BIND, this is done by defining a limited set of hosts in the “allow-query” rule for the server in general but setting “allow-query” to “any” for each zone). For example:

zone “example.com”{
type master;
file “example.com.db”;
allow-query {
192.168.196.0/24;
2001:db8::/32;
localhost;
} // end of allow-query
} // end of zone example.com

In unbound, the same behavior can be achieved by using the access-control directive in the unbound.conf file. This is what it would look like:

server:
access-control: 2001:db8::/32 allow

In addition, if your company is an ISP, please verify the configuration of your network and be sure not to allow spoofed traffic (traffic disguised to look like it was sent by external IP addresses) to leave your network. The networks and devices that allow spoofed traffic (traffic with fake IP addresses) allow this and other types of attacks.

How to identify an Open DNS Resolver on IPv6

Open Resolvers or DNS servers are very easy to identify in the world of IPv4. Because IPv4 space is quite small (2**32), it is relatively simple to run these IPv4 address tests for IPv4 addresses.

In the world of IPv6, it is virtually impossible to verify each IP address and run an Open Resolver test. This test might last thousands of years and would likely to not be very useful once completed.

LACNIC manages a Reverse Root Server, specifically a “D” root server, i.e., d.ip6-servers.arpa. Many reverse IP address lookups from the LACNIC region are done through this server. Generally speaking, this server ONLY receives queries from DNS servers. This is where they obtain the IPv6 addresses for the DNS that perform queries.

Identification is achieved by querying DNS servers for a domain name. If the DNS server returns a valid response, then it is considered an Open Resolver. On the contrary, if the query is refused, or if it simply times out, it is well-configured, and is not an Open Resolver.