From time to time, I need to test a remote system to determine whether or not its DNS service allows for recursive DNS requests - typically in response to a DNS server being reported for participating in a
DNS Amplification/Recursive/Reflector DDoS attack. For further technical information on DNS Amplification attacks, please visit http://www.securiteam.com/securityreviews/5GP0L00I0W.html.
Using Nmap and one of the pre-built Nmap Scripting Engine (NSE) scripts by Felix Groebert, we can test whether or not a host running DNS will allow for a “non-authorized” recursive query from the Internet. For testing, you’ll want to specify the script (--script=dns-recursion) as well as limit the port to the DNS service port, UDP 53, you are testing (-sU –p53).
In the following example, we use Nmap to test whether or not the remote DNS server at 216.146.35.113 allows for recursion.
C:\>nmap 216.146.35.113 --script=dns-recursion -sU -p53
Starting Nmap 5.21 (http://nmap.org ) at 2010-03-10 18:31 Eastern Standard Time
NSE: Script Scanning completed.
Nmap scan report for 216.146.35.113 (216.146.35.113)
Host is up (0.00s latency).
PORT STATE SERVICE
53/udp open|filtered domain
|_dns-recursion: Recursion appears to be enabled
Nmap done: 1 IP address (1 host up) scanned in 2.66 seconds
Based on the Nmap output above, we are told that “Recursion appears to be enabled” on the remote server.
Using Wireshark, we can view the “quite interesting” packets generated by a DNS Recursion scan performed by Nmap against a DNS server that is advertised on the Internet to allow recursive lookups.
In the sample above (our traffic of interest starts with Packet #3), we can see:
Packet #3: Our first packet from our test system to the target DNS server is an Echo ping request to determine if the remote server replies. Reply seen in Packet #7.
Packet #4: Nmap sends a SYN packet to TCP 443.
Packet #5: Nmap sends an ACK packet to TCP 80.
Packet #6: Nmap sends ICMP Timestamp request.
Packet #7: ICMP Echo Reply received from target host (in response to Packet #3)
Packet #8: Nmap perfoms a reverse DNS lookup using its own DNS server (4.2.2.2).
Packet #9: ICMP Timestap reply to Packet #6 from target host.
Packet #10: External DNS host replies with answer for reverse DNS lookup in Packet #8.
Packet #11: Nmap submits “Server status request”.
Packet #12: Target host ‘rejects’ the “Server status request” from Packet #11.
Packet #13: ICMP ‘Destination Unreachable’ (Type 3, Code 3) message.
Packet #14: Nmap submits a DNS query for www.wikipedia.org to the DNS server.
Packet #15: Nmap receives the successful DNS query reponse for www.wikipedia.org indicating the target host allows for recusive DNS lookups.
REMEMBER – While Port UDP 53 is used to perform DNS resolution, DNS Port TCP 53 is used by DNS servers to exchange records by performing zone transfers. If you use a default Nmap scan without specifying UDP 53, Nmap will perform a default scan of the most common 1,000 TCP ports. With no UDP ports or DNS service to test, there are no results from the script other than the default Nmap output.
C:\>nmap x.x.x.x --script=dns-recursion
Starting Nmap 5.21 ( http://nmap.org ) at 2010-03-10 18:31 Eastern Standard Time
Nmap scan report for x.x.x.x (x.x.x.x)
Host is up (0.00081s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
139/tcp closed netbios-ssn
443/tcp open https
3389/tcp open ms-term-serv
Nmap done: 1 IP address (1 host up) scanned in 7.06 seconds
Locking Down your DNS ServicesKeep in mind, your internal DNS server should only be available to your internal hosts. If you do need to host a DNS server on the Internet for outside parties to find your publicly available resources (such as if you were a web hosting company), then make sure to disable your DNS server’s recursive functionality.
A few personal favorites:
