The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DNS amplification problem picked up by PCI scanner

Discussion in 'Security' started by jerkynet, Nov 23, 2009.

  1. jerkynet

    jerkynet Member

    Joined:
    Nov 7, 2007
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Just cam across this thread in a search, currenlty searching for solution for a DNS amplification problem picked up by PCI scanner....fix seems simple enough, but need internal/external views.....from what I see, if I edit my named.conf file, adding as example:
    acl "trusted" {
    my ip;
    my other ip;
    localhost;
    };
    options {
    allow-query {trusted; };
    allow-recursion { trusted; };

    Fixes problem for amplification problem, but stops any outside host from getting lookups on domains we are authoratative for.....
    Adding the following (FOR EVERY ZONE entry in named.conf file) fixes, but would have to edit again after adding another domain? (best guess....?)

    zone "mydomain.com" {
    type master;
    file "/var/named/mydomain.com.db";
    allow-query { any; };
    };

    This fix for problem from:
    DNS Amplification Variation Used in Recent DDos Attacks - Research - SecureWorks

    test for problem here:
    dig . NS @yournameserver

    if the dig returns the following your server is a FAIL:
    ==========
    ; (1 server found)
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18746
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 14

    ;; QUESTION SECTION:
    ;. IN NS

    ;; ANSWER SECTION:
    . 517839 IN NS C.ROOT-SERVERS.NET.
    . 517839 IN NS D.ROOT-SERVERS.NET.
    . 517839 IN NS E.ROOT-SERVERS.NET.
    . 517839 IN NS F.ROOT-SERVERS.NET.
    . 517839 IN NS G.ROOT-SERVERS.NET.
    . 517839 IN NS H.ROOT-SERVERS.NET.
    . 517839 IN NS I.ROOT-SERVERS.NET.
    . 517839 IN NS J.ROOT-SERVERS.NET.
    . 517839 IN NS K.ROOT-SERVERS.NET.
    . 517839 IN NS L.ROOT-SERVERS.NET.
    . 517839 IN NS M.ROOT-SERVERS.NET.
    . 517839 IN NS A.ROOT-SERVERS.NET.
    . 517839 IN NS B.ROOT-SERVERS.NET.

    ;; ADDITIONAL SECTION:
    A.ROOT-SERVERS.NET. 604239 IN A 198.41.0.4
    A.ROOT-SERVERS.NET. 604239 IN AAAA 2001:503:ba3e::2:30
    B.ROOT-SERVERS.NET. 604239 IN A 192.228.79.201
    C.ROOT-SERVERS.NET. 604239 IN A 192.33.4.12
    D.ROOT-SERVERS.NET. 604239 IN A 128.8.10.90
    E.ROOT-SERVERS.NET. 604239 IN A 192.203.230.10
    F.ROOT-SERVERS.NET. 604239 IN A 192.5.5.241
    F.ROOT-SERVERS.NET. 604239 IN AAAA 2001:500:2f::f
    G.ROOT-SERVERS.NET. 604239 IN A 192.112.36.4
    H.ROOT-SERVERS.NET. 604239 IN A 128.63.2.53
    H.ROOT-SERVERS.NET. 604239 IN AAAA 2001:500:1::803f:235
    I.ROOT-SERVERS.NET. 604239 IN A 192.36.148.17
    J.ROOT-SERVERS.NET. 604239 IN A 192.58.128.30
    J.ROOT-SERVERS.NET. 604239 IN AAAA 2001:503:c27::2:30

    Anybody run into this yet? Maybe I am over thinking the problem?
    With my current fix in above we are solved, ie; good result:
    ========
    ; <<>> DiG 9.2.4 <<>> . NS @38.113.114.131
    ; (1 server found)
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: REFUSED id: 1035
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;. IN NS
    =========

    question is how do we do this and not loose my edits?
     
  2. mtbwacko

    mtbwacko Well-Known Member

    Joined:
    Nov 30, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    I know this is an old post, but it seems like anyone can solve this problem by adding the following line to the options section of their named.conf file:

    recursion no;

    At least it worked for me!

    Greg
     
  3. mtbwacko

    mtbwacko Well-Known Member

    Joined:
    Nov 30, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    Actually, just got new PCI scan results and it turns out it mDIDn't work, still failing. :-(
     
  4. sirdopes

    sirdopes Well-Known Member
    PartnerNOC

    Joined:
    Sep 25, 2007
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    This really should be marked as a false positive. As long as you have recursion disabled for 3rd parties, you should be able to submit this to your pci scanner. If they are still complaining about returning the root list of nameservers, they can generally provide a solution.
     
  5. trevormc

    trevormc Registered

    Joined:
    Feb 2, 2011
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Germany
    Well thanks that fixed my problem:)
     
Loading...

Share This Page