[dns-operations] open resolver versio.bind responses

Paul Wouters paul at cypherpunks.ca
Thu Apr 18 16:03:08 UTC 2013


On Thu, 18 Apr 2013, Graham Beneke wrote:

> The number of times that DNSmasq is listed near the top is consistent
> with some of the recent DoS incidents that I've seen on my network. It
> seems that a number of CPE vendors have DNSmasq running without any kind
> ACL.
>
> What happened during the incidents I found quite interesting though:
>
> The CPEs were obviously identified as open resolvers and spoofed packets
> sent towards them. DNSmasq is however a pure forwarder and doesn't cache
> so instead of sourcing lots of traffic for the attacker the CPE ends up
> DoSing itself. DNSmasq hits an upstream resolver with every query it
> receives and then saturates the downstream link with the garbage
> responses. A combination of this and the fact many end user connections
> are async means that the end user experiences huge congestion while not
> contributing significantly to the attack traffic.
>
> Thus - not much use to an attacker but much higher collateral damage.

Actually, this is exactly what happened to one of my systems. In this
case, dnsmasq got exposed by a name space conflict on the "virbr0"
bridge device with libvirt/virt-manager/kvm on my public IP. And indeed,
I observed the ANY requests hitting dnsmasq, and then getting forwarded
to my unbound instance for the answer to go back and forward out again
over my DSL.

However, this was done at about 10 packets/second only. So it had
actually been running for quite some time before I noticed itat all. It
caused no bandwidth issues. In fact, I noticed it only when I was
looking at the unbound instance and seeing the ANY isc.org queries.

So those who manually use virbrX devices on RHEL/Fedora with an
ifcfg-virbrX config file, and then run KVM/libvirtd, rename your
bridge to "brX" or something to avoid this.

Paul



More information about the dns-operations mailing list