ubuntu:networking:dns:security:check_if_the_dns_server_responds_to_._queries_with_a_full_list_of_root_name_servers
Table of Contents
Ubuntu - Networking - DNS - Security - Check if the DNS server responds to "." queries with a full list of root name servers
If your DNS server responds to “.” queries with a full list of root name servers then it could be used in a DDoS attack.
Test this by issuing:
dig . NS @yournameserver
This should be run from outside of your network to get the “real” picture.
External Testing
An online tool on isc.sans.org can be used to verify this as well.
result:
Good. your name server refused the query Testing 5.42.134.35 (5.42.134.35) /usr/bin/dig . NS @5.42.134.35 ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-25.P1.el5_11.8 <<>> . NS @5.42.134.35 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 35224 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;. IN NS ;; Query time: 141 msec ;; SERVER: 5.42.134.35#53(5.42.134.35) ;; WHEN: Fri Jul 8 10:21:12 2016 ;; MSG SIZE rcvd: 17
Testing Internal
Internal is fine if it returns with a full list of root name servers.
dig . NS @192.168.1.1
returns:
; <<>> DiG 9.16.1-Ubuntu <<>> . NS @192.168.1.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13820 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 86057 IN NS k.root-servers.net. . 86057 IN NS j.root-servers.net. . 86057 IN NS m.root-servers.net. . 86057 IN NS l.root-servers.net. . 86057 IN NS g.root-servers.net. . 86057 IN NS i.root-servers.net. . 86057 IN NS c.root-servers.net. . 86057 IN NS h.root-servers.net. . 86057 IN NS e.root-servers.net. . 86057 IN NS f.root-servers.net. . 86057 IN NS b.root-servers.net. . 86057 IN NS a.root-servers.net. . 86057 IN NS d.root-servers.net. ;; Query time: 0 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Sun Jan 10 19:24:48 GMT 2021 ;; MSG SIZE rcvd: 239
ubuntu/networking/dns/security/check_if_the_dns_server_responds_to_._queries_with_a_full_list_of_root_name_servers.txt · Last modified: 2021/01/10 20:45 by peter