ICANN’s DNS Security Advice

May 13, 2013 – ICANN published an article in early April about ddos attacks.  In light of all the
attacks that are happening lately, we thought we would bring ICANN’s suggestions
to the forefront once again.  This article was centered around dns based ddos attacks.

Most people are concerned about layer 3 and 4 attacks, but there have been a steadily
increasing number of attacks focused on layer 7.  This is where the DNS
infrastructure resides.  Before we jump into how to secure your DNS, we want to hit on
an advisory that was published by ICANN’s Security and Stability Advisory Committee.

Titled “SAC008,” this advisory suggests that private organizations, service operators
and governments, should consider the SAC008 recommendations to adopt source IP address
verification.  Attackers typically spoof IP addresses when launching attacks to make
it extremely difficult to find the source address of the attack, therefore not knowing
where it’s coming from.  It’s highly suggested that access service providers or
corporations apply network ingress filtering to prevent spoofing.  This is
described in SAC004 and recommended by the Internet IAB in BCP038.
When traffic is blocked as close as possible to the source, it relieves ISP’s from
forwarding malicious traffic.  In this situation, everyone benefits (except the attacker).

Regarding your DNS servers…

On your Authoritative servers, disabling open recursion from external sources is highly
recommended.  Only accept dns traffic from trusted sources in order to reduce amplification
vectors for dns based attacks.

What is “open-recursion?”  If enabled on a server, that server will accept both authoritative
and recursive queries (any IP address on the internet).  Attackers exploit these servers
when launching their ddos and amplification attacks.
US-CERT Alert TA13-088A recommends that all DNS operators disable recursion on authoritative
servers, limit recursion to authorized clients, and rate limit responses to recursive servers.

How do you know if your servers have open recursion?
Alert TA13-088A describes how organizations can test whether any of its name
servers are open resolvers, and lists sources that describe how to do so for major operating
system and dns software.  Microsoft servers are the only ones not listed.

Recent Reviews

• Marc R on No-IP
• Robert Brennan on DNS Made Easy
• devop on DNSimple
• radock on No-IP
• John M on Dynu Systems
• Narayan on NS1
• Anthony on No-IP
• Norm on Dynu Systems