3.2 Restrict Recursive Queries - Authoritative Name Server

Information

A recursive DNS query is your typical DNS query from a client to a caching DNS server. It places the burden of finding the answer on the caching DNS server which will recursively query other DNS servers authoritative for the domains, until it gets the answer which is then returned to the client. The DNS server will then cache the answer to that query until its time-to-live expires in order to provide a quick answer to future queries for the same name. BIND can be configured to restrict fulfillment of recursive lookups to only authorized network segments and hosts. This is made possible by the allow-recursion option. Caching non-authoritative name servers should only allow recursive queries from clients on their own authorized networks. Authoritative name servers should not allow recursive queries, except to the local host.

Rationale:

Recursive DNS queries are commonly used in malicious attacks, including DNS amplification attacks and DNS cache poisoning attacks. A DNS amplification attack is a form of a reflected distributed denial-of-service attack, where multiple publicly accessible servers are sent recursive queries with the source IP address spoofed to be that of the victim. A high volume of relatively large DNS responses then flood the victim. For a DNS cache poisoning attack, the attacker may perform a query, and then provide a bogus response for the server to store in the cache.?? The bogus response may redirect clients to a different IP address which is provided by the attacker. Once the cache is poisoned, then clients visiting web sites, connecting to mail servers or VPNs may be connected with a malicious server configured to attack the client or steal credentials.

Limiting recursive queries to trusted networks does not prevent all of the DNS attacks possible, but it does make the attacks much more difficult and dramatically limits the scope of possible attacks so that detection and response are manageable.

Solution

Authoritative Name Server:

For an authoritative name, insert the following either into the global options or into every zone section.

allow-recursion { localhost; };

Caching Name Server:

- Define an ACL named trusted_clients which will identify the networks which are expected to use the DNS caching server, and will be allowed to send recursive DNS queries.

acl trusted_clients { 10.19.4.0/28; . . . }

- Insert the following into the global options.

allow-recursion { localhost; trusted_clients };

Default Value:

The allow-recursion option is not defined by default.

See Also

https://workbench.cisecurity.org/files/1735

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-20, CSCv6|9.1

Plugin: Unix

Control ID: 658826efe81b7d9bb586f83d91e057d9cf6e3160fd15fc8853300785d30f7b07