DNS open resolver.


Recommended Posts

I have this issue that is annoying the hell out of me cause I am sure its gonna be a simple fix that I cant figure out.

One of my sites has a single AD integrated DNS server, everything works as it should and we have no internal issues. However recently, I received notification from their ISP that this site is showing signs of DDoS activity which after testing from here, http://openresolver.com/ was able to confirm that the site was indeed open.

I cant disable recursion cause the users stop getting internet access, even blocked incoming DNS on the firewall and it still was showing as open.

My brain has gone blind on this from looking at it for too long, any thoughts on what I am missing?

f'rn k g rillo
f'rn k g rillo
f'ddddrn k g rillo
f'rn k g rillo
f'rn k g rillo
f'rn k g rillo
f'rn k g rilloddd
Link to comment
Share on other sites

Why are you allowing incoming dna to be open on your ad site?  

 

Incoming should be closed, outgoing should be open.  Nothing from the outside should be checking your internal dns severs for addresses.  Your dns severs should be querying external severs, which is outgoing only.  It sounds as if you have a misconfiguration. 

You may have to contact your firewall vendor to help set your firewall up to help mitigate ddos attacks

 

 

Edited by sc302
  • Like 3
Link to comment
Share on other sites

You should have an outbound that supports that rule....You shouldn't have to put in a specific rule to allow outbound. 

I don't know what model you have or the security holes that it may or may not have, but perhaps you should make sure you are on a current (this year) firmware update or you should get a new firewall that is capable of current updates.

Link to comment
Share on other sites

This topic is now closed to further replies.