Bug 746243 - possible vulnerability in named server
possible vulnerability in named server
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: bind (Show other bugs)
14
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Adam Tkac
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-10-14 09:55 EDT by Domingo Becker
Modified: 2013-04-30 19:50 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-10-26 07:17:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Domingo Becker 2011-10-14 09:55:26 EDT
Description of problem:
I'm receiving frequent attacks to a named server at port 53.
The traffic is 15Kbits/sec in and 1.4Mbit/sec out.
The problem is that I don't know if this is a problem with my configuration file or a vulnerability of bind package.

The named.conf file have been generated with system-config-bind. 
The contents of /etc/named.conf excluding the zones are:

<named.conf> 

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
	recursion no;
	allow-recursion {192.168.1.0/24;};
	allow-query { any; };

listen-on port 53 {
	127.0.0.1;
	10.0.0.3;
        192.168.1.2;
};


	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
	
	dnssec-enable yes;
	dnssec-validation yes;
dnssec-lookaside auto;
bindkeys-file "/etc/named.iscdlv.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

</named.conf> 

Am I doing something wrong with the configuration or there's a new vulnerability that needs consideration?

What I'm actually doing to resolve this issue is blocking the networks where the attacks come from. So far, I'm blocking the following networks with iptables:
-I INPUT -p tcp -s 201.20.35.12/29 -j DROP
-I INPUT -p udp -s 201.20.35.12/29 -j DROP
-I INPUT -p tcp -s 174.36.27.8/29 -j DROP
-I INPUT -p udp -s 174.36.27.8/29 -j DROP
-I INPUT -p tcp -s 201.20.35.32/29 -j DROP
-I INPUT -p udp -s 201.20.35.32/29 -j DROP
-I INPUT -p tcp -s 201.20.35.16/29 -j DROP
-I INPUT -p udp -s 201.20.35.16/29 -j DROP
-I INPUT -p tcp -s 201.20.34.96/29 -j DROP
-I INPUT -p udp -s 201.20.34.96/29 -j DROP
-I INPUT -p tcp -s 201.41.210.88/29 -j DROP
-I INPUT -p udp -s 201.41.210.88/29 -j DROP

Would you help me to find out what I'm doing wrong with my named configuration?
Comment 1 Adam Tkac 2011-10-24 10:10:20 EDT
(In reply to comment #0)
> Description of problem:
> I'm receiving frequent attacks to a named server at port 53.
> The traffic is 15Kbits/sec in and 1.4Mbit/sec out.
> The problem is that I don't know if this is a problem with my configuration
> file or a vulnerability of bind package.

Not sure if this is an attack but it might be - such traffic usually indicates that someone asks for the root hints (i.e. query for the "." NS records) and your server returns them.

> //
> // named.conf
> //
> // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
> // server as a caching only nameserver (as a localhost DNS resolver only).
> //
> // See /usr/share/doc/bind*/sample/ for example named configuration files.
> //
> 
> options {
>  recursion no;
>  allow-recursion {192.168.1.0/24;};
>  allow-query { any; };
> 
> listen-on port 53 {
>  127.0.0.1;
>  10.0.0.3;
>         192.168.1.2;
> };
> 
> 
>  listen-on-v6 port 53 { ::1; };
>  directory  "/var/named";
>  dump-file  "/var/named/data/cache_dump.db";
>         statistics-file "/var/named/data/named_stats.txt";
>         memstatistics-file "/var/named/data/named_mem_stats.txt";
> 
>  dnssec-enable yes;
>  dnssec-validation yes;
> dnssec-lookaside auto;
> bindkeys-file "/etc/named.iscdlv.key";
> };
> 
> logging {
>         channel default_debug {
>                 file "data/named.run";
>                 severity dynamic;
>         };
> };
> 
> </named.conf> 
> 
> Am I doing something wrong with the configuration or there's a new
> vulnerability that needs consideration?
> 
> What I'm actually doing to resolve this issue is blocking the networks where
> the attacks come from. So far, I'm blocking the following networks with
> iptables:
> -I INPUT -p tcp -s 201.20.35.12/29 -j DROP
> -I INPUT -p udp -s 201.20.35.12/29 -j DROP
> -I INPUT -p tcp -s 174.36.27.8/29 -j DROP
> -I INPUT -p udp -s 174.36.27.8/29 -j DROP
> -I INPUT -p tcp -s 201.20.35.32/29 -j DROP
> -I INPUT -p udp -s 201.20.35.32/29 -j DROP
> -I INPUT -p tcp -s 201.20.35.16/29 -j DROP
> -I INPUT -p udp -s 201.20.35.16/29 -j DROP
> -I INPUT -p tcp -s 201.20.34.96/29 -j DROP
> -I INPUT -p udp -s 201.20.34.96/29 -j DROP
> -I INPUT -p tcp -s 201.41.210.88/29 -j DROP
> -I INPUT -p udp -s 201.41.210.88/29 -j DROP
> 
> Would you help me to find out what I'm doing wrong with my named configuration?

Can you please substitute "allow-recursion" directive by "allow-query-cache" and report if the traffic is still unbalanced? The "allow-recursion" doesn't prevent the "root hints" attack written above.

However your current solution (packets are dropped directly on firewall) is the best in case some network attacks your servers.
Comment 2 Domingo Becker 2011-10-24 10:37:55 EDT
(In reply to comment #1)
> (In reply to comment #0)
> > Description of problem:
> > I'm receiving frequent attacks to a named server at port 53.
> > The traffic is 15Kbits/sec in and 1.4Mbit/sec out.
> > The problem is that I don't know if this is a problem with my configuration
> > file or a vulnerability of bind package.
> 
> Not sure if this is an attack but it might be - such traffic usually indicates
> that someone asks for the root hints (i.e. query for the "." NS records) and
> your server returns them.
> 

I captured some packages with wireshark and it looks like a flooding attack. The dns query was nul and the response from my server was invalid query, and that was going on at a very high speed.

The attacks ceased now. If it comes back again, I will submit some sniffs using wireshark.

> 
> Can you please substitute "allow-recursion" directive by "allow-query-cache"
> and report if the traffic is still unbalanced? The "allow-recursion" doesn't
> prevent the "root hints" attack written above.
> 

I will do this change and let you know what happens as soon as new a attack comes.

thanks and kind regards
Comment 3 Adam Tkac 2011-10-24 10:44:15 EDT
(In reply to comment #2)
> (In reply to comment #1)
> > (In reply to comment #0)
> > > Description of problem:
> > > I'm receiving frequent attacks to a named server at port 53.
> > > The traffic is 15Kbits/sec in and 1.4Mbit/sec out.
> > > The problem is that I don't know if this is a problem with my configuration
> > > file or a vulnerability of bind package.
> > 
> > Not sure if this is an attack but it might be - such traffic usually indicates
> > that someone asks for the root hints (i.e. query for the "." NS records) and
> > your server returns them.
> > 
> 
> I captured some packages with wireshark and it looks like a flooding attack.
> The dns query was nul and the response from my server was invalid query, and
> that was going on at a very high speed.
> 
> The attacks ceased now. If it comes back again, I will submit some sniffs using
> wireshark.
> 
> > 
> > Can you please substitute "allow-recursion" directive by "allow-query-cache"
> > and report if the traffic is still unbalanced? The "allow-recursion" doesn't
> > prevent the "root hints" attack written above.
> > 
> 
> I will do this change and let you know what happens as soon as new a attack
> comes.

This won't help if packets were NULL queries. The firewall DROP rules are appropriate in this case (and more efficient than BIND's blackhole {} directive)
Comment 4 Adam Tkac 2011-10-26 07:17:54 EDT
I'm closing this ticket because there is nothing which can be fixed in the bind pkg. Feel free to reopen it if you have any question.

Note You need to log in before you can comment on or make changes to this bug.