{"id":2856,"date":"2020-07-27T15:29:26","date_gmt":"2020-07-27T15:29:26","guid":{"rendered":"https:\/\/csirt.lacnic.net\/?page_id=2856"},"modified":"2020-09-15T17:45:20","modified_gmt":"2020-09-15T14:45:20","slug":"dns-open-resolvers-on-ipv4","status":"publish","type":"page","link":"https:\/\/csirt.lacnic.net\/en\/dns-open-resolvers-on-ipv4","title":{"rendered":"DNS Open Resolvers on IPv4"},"content":{"rendered":"\n

LACNIC CSIRT is working together with CSIRT CEDIA on the \u201cDNS Open Resolvers on IPv4\u201d project that seeks to understand the current status of the region, identify open resolvers, and proactively alert and recommend potential corrections to how this service is configured.<\/p>\n\n\n\n

Open DNS resolvers affect both those who have the open service as well as Internet security in general. This type of server is used as a vector for amplification DDoS attacks, as an attacker can send these servers a recursive DNS query that will return a large amount of data, much larger than the original DNS request packet. This makes the DNS server a very powerful traffic amplifier, as these amplified queries can be directed to a specific IP address, which then receives a large volume of traffic that would cause the services to be unavailable. To conduct this type of attacks, an attacker does not even need to control the hardware.<\/p>\n\n\n\n

A recursive DNS server should only reply to queries from the clients that are on its same network, rejecting any that come from outside.<\/p>\n\n\n\n

How to solve this problem<\/h3>\n\n\n\n

We strongly recommend re-configuring your DNS resolvers. Here are some ways to do this:<\/p>\n\n\n\n

*<\/strong> Resolvers should only respond to their clients. They should not respond to queries from IP addresses outside their own network (in BIND<\/strong>, this requires defining a limited group of devices in the \u201callow-query\u201d rule). In the following example, only networks 192.168.196.0\/24 and 2001:db8::\/32 will be able to perform queries. More networks can be added if we separate them with a semicolon (;):<\/p>\n\n\n\n

options {
allow-query {
192.168.196.0\/24;
2001:db8::\/32;
localhost;
}
}<\/div>\n\n\n\n

*<\/strong> To resolve only domain names that are part of your authoritative zones (in BIND<\/strong>, you must define a limited set of hosts in the \u201callow-query\u201d rule for the server in general, setting \u201callow-query\u201d to \u201cany\u201d for each zone). Example:<\/p>\n\n\n\n

options {
allow-query {
192.168.196.0\/24;
2001:db8::\/32;
localhost;
}
}<\/div>\n\n\n\n
options {
allow-query {
192.168.196.0\/24;
2001:db8::\/32;
localhost;
}
}<\/div>\n\n\n\n

*<\/strong> You can achieve the same behavior in unbound<\/strong> by using the access-control directive in the unbound.conf file. Example (add as many access-control directives as networks you have):<\/p>\n\n\n\n

server:<\/em><\/p>\n\n\n\n

access-control: 192.168.196.0\/24 allow
access-control: 2001:db8::\/32 allow<\/em><\/p>\n\n\n\n

* In the case of mikrotik<\/strong> devices, we can stop resolving to third parties by deselecting the Allow Remote Requests<\/strong> checkbox:<\/p>\n\n\n\n

Another option is to go to Mikrotik’s web control panel, IP\u2192 DNS and deselect<\/strong> Allow Remote Requests:<\/p>\n\n\n\n

If your company is an ISP, you must also check your network configuration and make sure that you do not allow spoofed traffic (traffic pretending to be from external IP addresses) to leave your network. Networks and devices that allow spoofed traffic (traffic with fake IP addresses) allow this and other types of attacks.<\/p>\n\n\n\n

* If you use openwrt<\/strong>, dd-wrt<\/strong> or a Linux device, you may be using dnsmasq. In the case of dnsmasq, the solution is to prevent the entrance of UDP packets from the Internet to port 53 on our WAN interface. This can be configured in the firewall of your openwrt\/dd-wrt or using iptables on your Linux device:<\/p>\n\n\n\n

iptables -I INPUT -p udp \u2013dport 53 -j DROP<\/em><\/p>\n\n\n\n

How to check if your changes have been effective<\/h3>\n\n\n\n

Once you have made the necessary changes, you can go to https:\/\/openresolver.com\/<\/a> and check whether the IP address we informed is an open resolver.<\/p>\n\n\n\n

Open Resolvers on IPv6<\/h3>\n\n\n\n

If any of your DNS resolvers are configured for IPv6 or dual stack, we suggest checking the information and recommendations available at:<\/p>\n\n\n\n

DNS Open Resolvers con IPv6<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

LACNIC CSIRT is working together with CSIRT CEDIA on the \u201cDNS Open Resolvers on IPv4\u201d project that seeks to understand the current status of the region, identify open resolvers, and proactively alert and recommend potential corrections to how this service is configured. Open DNS resolvers affect both those who have the open service as well […]<\/p>\n","protected":false},"author":3,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"footnotes":""},"class_list":["post-2856","page","type-page","status-publish","hentry"],"acf":[],"yoast_head":"\nLACNIC CSIRT - DNS Open Resolvers on IPv4<\/title>\n<meta name=\"description\" content=\"The main purpose of the project is to alert and recommend possible corrections for DNS Resolvers on IPv4.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/csirt.lacnic.net\/en\/dns-open-resolvers-on-ipv4\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"LACNIC CSIRT - DNS Open Resolvers on IPv4\" \/>\n<meta property=\"og:description\" content=\"The main purpose of the project is to alert and recommend possible corrections for DNS Resolvers on IPv4.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/csirt.lacnic.net\/en\/dns-open-resolvers-on-ipv4\" \/>\n<meta property=\"og:site_name\" content=\"LACNIC CSIRT\" \/>\n<meta property=\"article:modified_time\" content=\"2020-09-15T14:45:20+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/csirt.lacnic.net\/wp-content\/uploads\/lacnic-csirt-2020.png\" \/>\n\t<meta property=\"og:image:width\" content=\"680\" \/>\n\t<meta property=\"og:image:height\" content=\"330\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@lacnic_csirt\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/csirt.lacnic.net\\\/en\\\/dns-open-resolvers-on-ipv4\",\"url\":\"https:\\\/\\\/csirt.lacnic.net\\\/en\\\/dns-open-resolvers-on-ipv4\",\"name\":\"LACNIC CSIRT - DNS Open Resolvers on IPv4\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/csirt.lacnic.net\\\/en\\\/#website\"},\"datePublished\":\"2020-07-27T15:29:26+00:00\",\"dateModified\":\"2020-09-15T14:45:20+00:00\",\"description\":\"The main purpose of the project is to alert and recommend possible corrections for DNS Resolvers on IPv4.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/csirt.lacnic.net\\\/en\\\/dns-open-resolvers-on-ipv4#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/csirt.lacnic.net\\\/en\\\/dns-open-resolvers-on-ipv4\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/csirt.lacnic.net\\\/en\\\/dns-open-resolvers-on-ipv4#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Portada\",\"item\":\"https:\\\/\\\/csirt.lacnic.net\\\/en\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"DNS Open Resolvers on IPv4\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/csirt.lacnic.net\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/csirt.lacnic.net\\\/en\\\/\",\"name\":\"LACNIC CSIRT\",\"description\":\"Incident Response Center - LACNIC CSIRT\",\"publisher\":{\"@id\":\"https:\\\/\\\/csirt.lacnic.net\\\/en\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/csirt.lacnic.net\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/csirt.lacnic.net\\\/en\\\/#organization\",\"name\":\"LACNIC CSIRT\",\"url\":\"https:\\\/\\\/csirt.lacnic.net\\\/en\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/csirt.lacnic.net\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/csirt.lacnic.net\\\/wp-content\\\/uploads\\\/lacnic-csirt-2020.png\",\"contentUrl\":\"https:\\\/\\\/csirt.lacnic.net\\\/wp-content\\\/uploads\\\/lacnic-csirt-2020.png\",\"width\":680,\"height\":330,\"caption\":\"LACNIC CSIRT\"},\"image\":{\"@id\":\"https:\\\/\\\/csirt.lacnic.net\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/lacnic_csirt\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"LACNIC CSIRT - DNS Open Resolvers on IPv4","description":"The main purpose of the project is to alert and recommend possible corrections for DNS Resolvers on IPv4.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/csirt.lacnic.net\/en\/dns-open-resolvers-on-ipv4","og_locale":"en_US","og_type":"article","og_title":"LACNIC CSIRT - DNS Open Resolvers on IPv4","og_description":"The main purpose of the project is to alert and recommend possible corrections for DNS Resolvers on IPv4.","og_url":"https:\/\/csirt.lacnic.net\/en\/dns-open-resolvers-on-ipv4","og_site_name":"LACNIC CSIRT","article_modified_time":"2020-09-15T14:45:20+00:00","og_image":[{"width":680,"height":330,"url":"https:\/\/csirt.lacnic.net\/wp-content\/uploads\/lacnic-csirt-2020.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_site":"@lacnic_csirt","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/csirt.lacnic.net\/en\/dns-open-resolvers-on-ipv4","url":"https:\/\/csirt.lacnic.net\/en\/dns-open-resolvers-on-ipv4","name":"LACNIC CSIRT - DNS Open Resolvers on IPv4","isPartOf":{"@id":"https:\/\/csirt.lacnic.net\/en\/#website"},"datePublished":"2020-07-27T15:29:26+00:00","dateModified":"2020-09-15T14:45:20+00:00","description":"The main purpose of the project is to alert and recommend possible corrections for DNS Resolvers on IPv4.","breadcrumb":{"@id":"https:\/\/csirt.lacnic.net\/en\/dns-open-resolvers-on-ipv4#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/csirt.lacnic.net\/en\/dns-open-resolvers-on-ipv4"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/csirt.lacnic.net\/en\/dns-open-resolvers-on-ipv4#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Portada","item":"https:\/\/csirt.lacnic.net\/en"},{"@type":"ListItem","position":2,"name":"DNS Open Resolvers on IPv4"}]},{"@type":"WebSite","@id":"https:\/\/csirt.lacnic.net\/en\/#website","url":"https:\/\/csirt.lacnic.net\/en\/","name":"LACNIC CSIRT","description":"Incident Response Center - LACNIC CSIRT","publisher":{"@id":"https:\/\/csirt.lacnic.net\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/csirt.lacnic.net\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/csirt.lacnic.net\/en\/#organization","name":"LACNIC CSIRT","url":"https:\/\/csirt.lacnic.net\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/csirt.lacnic.net\/en\/#\/schema\/logo\/image\/","url":"https:\/\/csirt.lacnic.net\/wp-content\/uploads\/lacnic-csirt-2020.png","contentUrl":"https:\/\/csirt.lacnic.net\/wp-content\/uploads\/lacnic-csirt-2020.png","width":680,"height":330,"caption":"LACNIC CSIRT"},"image":{"@id":"https:\/\/csirt.lacnic.net\/en\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/lacnic_csirt"]}]}},"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/csirt.lacnic.net\/en\/wp-json\/wp\/v2\/pages\/2856","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/csirt.lacnic.net\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/csirt.lacnic.net\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/csirt.lacnic.net\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/csirt.lacnic.net\/en\/wp-json\/wp\/v2\/comments?post=2856"}],"version-history":[{"count":0,"href":"https:\/\/csirt.lacnic.net\/en\/wp-json\/wp\/v2\/pages\/2856\/revisions"}],"wp:attachment":[{"href":"https:\/\/csirt.lacnic.net\/en\/wp-json\/wp\/v2\/media?parent=2856"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}