2

We are undergoing PCI Compliance checks and our external nameservers (all Windows Server 2008 R2) have been hit by Nessus Plugin ID: 35450 (verbage below). Although this is a low severity hit, I see DDoS in the title and I freak.

Plugin ID: 35450 Name: DNS Server Spoofed Request Amplification DDoS Synopsis: The remote DNS server could be used in a distributed denial of service attack. Plugin Output: The DNS query was 17 bytes long, the answer is 449 bytes long.

I googled the heck out of this to no avail. Please respond if you have any suggestions.

I did find ways to test (below) but no luck on any mitigation steps...

On Linux: dig . NS @
[example: dig . NS @192.168.1.1]

Or on the web: http://isc1.sans.org/dnstest.html

DumbCoder
  • 5,696
  • 3
  • 29
  • 40
hexLax
  • 63
  • 1
  • 6

1 Answers1

1

You need to configure your DNS server to issue "REFUSED" in response to queries for the root hints (i.e. dig . NS) instead of returning the current list of root name servers.

Not being familiar with that particular DNS software I can't advise on how to do that.

Note that this Nessus test does not imply a weakness in your own network security - you cannot suffer a network breach because of this.

Instead it means that people may send spoofed queries to your server whose replies can than be used as part of a DDoS against someone else. See RFC 5358.

Mark Amery
  • 143,130
  • 81
  • 406
  • 459
Alnitak
  • 334,560
  • 70
  • 407
  • 495