[Solved] How to disallow DNS servers responding to recursive queries?

[818erm9x1]

Hi all,

According to the German CERT-Bund Reports, DNS Open-resolvers can be abused for DDoS reflection attacks against third parties. They describe a simple test to discover if a server has this issue. One can execute the following command (replacing the IP with the server IP which we want to test)

Code: Select all

$ dig cert-bund.de @192.168.45.67

An open resolver allowing recursive queries will return a response with status NOERROR, whereas an open resolver not allowing recursive queries will return a response with status REFUSED.

One of my servers, which uses Debian 12.5, has a DNS open resolver. However, I don't know how to avoid the open resolver. Some instructions say I should modify the BIND configuration. However, it seems BIND is not installed on the server:

Code: Select all

$ aptitude show bind9
Package: bind9                    
Version: 1:9.18.24-1
State: not installed
...

How can I disallow recursive queries?

How can I disallow the open resolver? I think I don't need it.

[reinob]

You'd first need to find out which resolver you have installed in that server. Common options are bind (which you say you don't have) and unbound.

Note that you dig test returns NOERROR if the server (192.168.45.67) provides a result. This doesn't say anything about whether it allows or not recursive queries (but normally the whole point of a resolver is that it resolves recursively), so it's not clear to me where you think there is a problem.

Obviously, you can run your recursive resolver (I have one in my home network, and some of my computers have their own recursive resolver). As long as you don't let outsiders use it, there is no problem. So this is more a fireall configuration issue.

But maybe I'm misunderstanding what (you think) the problem is.

[818erm9x1]

Thank @reinob for your answer. I also don't know which resolver I have installed. I don't have unbound installed because I got the following information with aptitude:

Code: Select all

root@degu02:~# aptitude show unbound
Package: unbound                                         
Version: 1.17.1-2+deb12u2                                
State: not installed 
...

I got the following answer:

Code: Select all

$ dig cert-bund.de @X.X.X.X
; <<>> DiG 9.18.24-1-Debian <<>> cert-bund.de @X.X.X.X
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9300
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;cert-bund.de.			IN	A

;; ANSWER SECTION:
cert-bund.de.		300	IN	A	35.234.91.239

;; AUTHORITY SECTION:
cert-bund.de.		3600	IN	NS	bamberg.bund.de.
cert-bund.de.		3600	IN	NS	dns-1.dfn.de.
cert-bund.de.		3600	IN	NS	xenon.bund.de.
cert-bund.de.		3600	IN	NS	argon.bund.de.
cert-bund.de.		3600	IN	NS	nuernberg.bund.de.

;; Query time: 36 msec
;; SERVER: X.X.X.X#53(X.X.X.X) (UDP)
;; WHEN: Mon Mar 18 19:59:35 CET 2024
;; MSG SIZE  rcvd: 172

So, I followed your suggestion and I use the UFW firewall to disable the access to the port 53 from outside. This solves the problem

[reinob]

Maybe you could log in to your DNS server (the X.X.X.X in your last message) and run (as root)

Code: Select all

netstat -plutn | grep 53

this will show which process is listening on port 53 (DNS).

If you post here the output, it may help to identify what kind of service/server is running.

Common DNS servers are bind, unbound, and dnsmasq.
(probably systemd-resolved too, but I don't think it'd listen to requests from other computers, but you never know..)

[818erm9x1]

Thank you again! Your last answer was very useful. With netstat, I noticed that the DNS server was dnsmasq. Then, I added `no-resolv` to the configuration as described on https://serverfault.com/a/847856. However, this also disables the resolver from internal connections and from containers (which breaks some applications). Thus, in my opinion, the best solution is using the firewall.

[Aki]

Hello,

Thank you again! Your last answer was very useful. With netstat, I noticed that the DNS server was dnsmasq. Then, I added `no-resolv` to the configuration as described on https://serverfault.com/a/847856. This also solves the issue.

I'm glad you sorted it out. :)

Please, mark the discussion as "solved" manually adding the text tag "[Solved]" at the beginning of the subject of the first message (after other tags, if any); i.e. :

[Solved] How to disallow DNS servers responding to recursive queries?

Happy Debian !