Monday, April 20, 2009

DNS recursion, a thing of the past (not exactly)

Not all servers can be the root-server so DNS recursive servers become responsible for obtaining queries and managing the IP addresses of the Internet (your own or the world wide web) infrastructure. And there lies the issue with vulnerabilities in recursive or caching DNS server code called cache poisoning, the fake answer is thought to be authoritative thus the cache storied is poisoned. As example, exploiting susceptible recursive or authoritative DNS servers can lure users/visitors to a fraudulent site intended of the intended destination. Similarly, DOS is feasible (where client flooding request to a single IP), resource hijacking resulting in degraded performance, or, unnecessary load on the root-server.


Of course this wouldn’t happen if you just setup your DNS servers to non-recursive, right?
You could always disable UDP53 at the router level to rid recursion entirely but where’s the flexibility or support for large providers, for example? And, at a server level where zone transfers and BIND is implemented...perhaps both, DNS servers at the infrastructure with ACLs for DNS specific DNS servers and modifying static and DHCP assignments to refer to the right hosts. Otherwise consider Unicast RPF or BCP38, or just know your traffic to know end....

To aid in verifying your own DNS recursive query setup, http://recursive.iana.org/

No comments:

Post a Comment