DNS Amplification Attack – How to Prevent

domain-name-systemwindows-server-2008

I have a windows 2008 server, which run a dns server for webs sites run on this server. I have report that our server used for an DNS Amplification Attack.
in logs I see many queries bout isc.org.
How can setup my windows dns server to only response to query about local sites?
I remove all root hints, and forwards, but still it received and response to query about isc.org

Best Answer

OK - first things first: Either firewall your server so people outside your organization can't access it, or disable recursion:

Open DNS Manager.

In the console tree, right-click the applicable DNS server, then click Properties.

Click the Advanced tab.

In Server options, select the Disable recursion check box, and then click OK.

(Chris posted a handy picture of the page and the option you want to enable)
Do this now.

Now that you are no longer actively breaking the internet you can read about DNS amplification attacks, how they happen, why they're bad, and some of the things you can do to prevent being a pawn in them.
You may also want to read this Technet article about DNSSEC and DNS Amplification attacks which includes some informative references.

You can then determine how best to prevent your server from being used in such attacks.
Typically you will do this by only answering recursive queries for a known group of hosts (your internal machines), but other options exist as well.

Related Solutions

DNS Server Spoofed Request Amplification DDoS – Prevention

If the name server is only authoritative (i.e. it's not also providing recursive service for your network), simply remove the "root hints" section from /etc/named.conf.

This typically looks something like this:

zone "." IN {
        type hint;
        file "named.ca";
};

Authoritative servers don't need this zone.

Doing this should result in the server returning REFUSED rather than a copy of the root name servers to external clients.

Also, as your server is authoritative only you should add:

recursion no;

in the main configuration block.

How to permanently remove default root hints from a Server 2008 DNS server

Permanently deleting root hints from a Microsoft DNS server is not supported, however, if you want to remove them, you can. Before you continue down this path, please have a full backup of your servers and be prepared for unintentional outages.

The root hints must be removed from 3 different places, the Root Hints tab in the server properties, the cache.dns file in C:\Windows\System32\dns, and the System Folder in ADUC. Remove them in the following order.

To remove them from the cache.dns folder, edit the file C:\Windows\System32\dns\cache.dns and either comment out, or delete everything in the file. I highly recommend backing up this file before you start.

To remove the objects from AD, open ADUC and click on View>Advanced Features. Under the root of your domain, expand System>MicrosoftDNS>RootDNSServers, delete all of the dnsNode objects.

To remove the objects from the DNS server properties, launch DNS Manager, right click on the server and select properties. Click on the root hints tab, and remove the servers.

A much better way to forgo the use of root hints is to just uncheck the Use root hints if no forwarders are available check box on the forwarders tab and use forwarders instead.

Best Answer

Related Solutions

DNS Server Spoofed Request Amplification DDoS – Prevention

How to permanently remove default root hints from a Server 2008 DNS server

Related Topic