Presentation is loading. Please wait.

Presentation is loading. Please wait.

Open DNS resolvers have to be closed ● Open resolvers respond to recursive queries from any host on the Internet ● Amplification DNS attack 2.

Published byJeffry Lewis Modified over 8 years ago

Similar presentations

Presentation on theme: "Open DNS resolvers have to be closed ● Open resolvers respond to recursive queries from any host on the Internet ● Amplification DNS attack 2."— Presentation transcript:

1

2 Open DNS resolvers have to be closed ● Open resolvers respond to recursive queries from any host on the Internet ● Amplification DNS attack 2

3 Still Open DNS resolvers in NREN – Why? ● Reason offered – users are not aware of danger ●Remedy: have to work on their education, boost collaboration ●Following: reminder + instruction to fix problem on the most popular platform in Serbian NREN i.e. BIND 9.x and Microsoft DNS server on Windows 2003, 2008 ●The expected result did not occur !!! ●Lesson learned – some reasons may stay invisible from NREN’s point of view ● 78% of the persistently open resolvers in our NREN fit to template: ●DNS service on Microsoft platform Windows 2003, 2008 with primary zone file configured for at least one domain ●DNS service is integrated with few other services on the same server ●basic security protection implemented by packet filtering on router on uplink to NREN (caution if high bandwith availabe 1Gbps) ● Reason found out - lack of security DNS feature inherited in platform used at campuses ●Remedy: add another box –DNS server (with option to accept/deny recursive queries based on its ip source address, preferably BIND 9.x) or –firewall (stateful packet inspection) 3

4 Solution – add DNS server on site ● Option available Disable recursion block all requests 4

5 Solution – add DNS server at NREN 5

6 Solution – add firewall 6

7 Reasons of slow changes One vendor choice (Microsoft solution) has been already made Not easy to maintain just one “very different” box Hard to accept to outsource such an successfully provided and old service Preferable – the matter of very modest budget available in most institutions ● Option to wait on Microsoft to add appropriate feature in its platforms - It is not solution! 7

8 How to check? - Useful links ● Find the number of known open DNS resolver ●Per AS (for each AS over time period Jun 2006 - Jun 2013) –http://dns.measurement- factory.com/surveys/openresolvers/ASN-reports/20130516.html –http://dns.measurement- factory.com/surveys/openresolvers/ASN-reports/ ●Per address space (masks “longer” than /22) –http://openresolverproject.org/ –paste an address into the search box near the top ● Fast check for a single domain. ●www.intoDNS.com under Recursive Querieswww.intoDNS.com ● Also … 8

9 Thank you! E-mail: mara@rcub.bg.ac.rs

10 Solutions – additional server Without Animation 5

Download ppt "Open DNS resolvers have to be closed ● Open resolvers respond to recursive queries from any host on the Internet ● Amplification DNS attack 2."

Similar presentations

TERMINAL SERVER DEPLOYMENT PLAN. STEP 1: PREPARATION  UTILIZE THE CURRENT SERVER FOR: ACTIVE DIRECTORY (AD) ACTIVE DIRECTORY (AD) NEEDED FOR STORAGE.

TERMINAL SERVER DEPLOYMENT PLAN. STEP 1: PREPARATION  UTILIZE THE CURRENT SERVER FOR: ACTIVE DIRECTORY (AD) ACTIVE DIRECTORY (AD) NEEDED FOR STORAGE.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.

Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.

Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Web Server Administration

Web Server Administration
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?

Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
Beth Johnson April 27, 1998. What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.

Beth Johnson April 27, What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.

TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
11 CONFIGURE INTERNET EXPLORER Chapter 5. Chapter 5: Configure Internet Explorer2 CHAPTER OVERVIEW AND OBJECTIVES  Configuring Accessibility and Language.

11 CONFIGURE INTERNET EXPLORER Chapter 5. Chapter 5: Configure Internet Explorer2 CHAPTER OVERVIEW AND OBJECTIVES  Configuring Accessibility and Language.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Similar presentations

Ads by Google