Aug 082014
 

When you visit a website on the Internet, the computer you use will find the address of the site using a system called DNS. If you are using your home computer to browse the internet, it will request each website address from your Internet Service Provider (ISP).

Dedicated and Virtual Servers are set up to search for this DNS information themselves. This is perfectly normal and is a commonly used feature for office or cloud networks.

There are two types of DNS queries that can be made to your server, which are as follows:

  • Recursive requests: With these requests your server will attempt to find the website in question in its local cache. If it cannot find an answer it will query other DNS servers on your behalf until it finds the address. It will then respond to the original request with the results from each server’s query.
  • Iterative requests: With these requests the DNS server will attempt to find the website in question in its local cache. If it cannot find an answer it will not ask other DNS servers but will reply back to the original request with a single “I don’t know, but you could try asking this server” message.
  •   

    Why are recursive DNS requests not recommended?

    Servers that support this type of request are vulnerable to fake requests from a spoofed IP address (the victim of the attack), the spoofed IP address can get overwhelmed by the number of DNS results it receives and be unable to serve regular internet traffic. This is called an Amplifier attack because this method takes advantage of DNS servers to reflect the attack onto a target while also amplifying the volume of packets sent to the victim. A consequence of this activity is that third party Network administrators who detect these requests may block your IP addresses. Your server could even be placed upon DNS blacklists.

    What happens if I turn off Recursive DNS lookups on my server?

    If your server doesn’t enable recursive DNS lookups, it will simply treat any such requests as an iterative DNS enquiry. It will continue to act as a DNS server, but will no longer be useful to attackers in part of an amplified attack on a victim.

    To turn recursion off on your server, you can login to Plesk and go to
    Tools & Settings -> DNS Template Settings -> DNS Recursion
    and then set the option to localhost. and then click on ‘OK’

    This will turn off the DNS Recursion for the server.

    There is a commandline alternative but Plesk may not like it so use at your own risk:

    perl -pi -e 's/recursion yes/recursion no/g' /etc/named.conf;service named restart
    Share This!
     Posted by at 9:10 am