DNS Problem Linked To DDoS Attacks Gets Worse

itwbennett writes "The percentage of devices on the Internet that are configured to accept DNS queries from anywhere — what networking experts call an 'open recursive' or 'open resolver' system — has jumped from around 50 percent in 2007 to nearly 80 percent this year, according to research sponsored by DNS appliance company Infoblox. As more consumers demand broadband Internet, service providers are rolling out modems configured this way to their customers, said Cricket Liu, vice president of architecture with Infoblox. Georgia Tech researcher David Dagon agreed that open recursive systems are on the rise, in part because of 'the increase in home network appliances that allow multiple computers on the Internet. ... Almost all ISPs distribute a home DSL/cable device. Many of the devices have built-in DNS servers. These can sometimes ship in "open by default" states.' What's worse, says Dagon, is that many of these devices do not include patches for a widely publicized DNS flaw discovered by researcher Dan Kaminsky last year."

For starters

[sopssa]

Why would a cable/adsl modem have an open recursive DNS server? There's not a single reason for that - either use your ISP's autodefined DNS servers, change them to something else or set up your own.

Re:For starters

One reason is to cut the # of queries coming into the ISP's servers. The modem can be a local cache.

Re:For starters

[TheRaven64]

Devices like this should only accept DNS requests from the local network (not from the Internet) and should, unless explicitly configured to perform recursive queries, forward them to the ISP's cache.

is this a problem

[hey]

Open DNS servers don't seem so bad to me.
Like an open website -- OMG everyone can access it.

Re:is this a problem

[RiotingPacifist]

1) If there is a flaw in the software, i can tell you DNS server that I slashdot is at 80.65.228.129 or that your bank resolves to my MITM attack site.
2) I can use up all of your routers resources and then you can't lookup any sites yourself

Re:is this a problem

[iLogiK]

I'm not sure how the DNS flaw works, but I just thought of something (feel free to mod me down if this is stupid) If you were to target someone specifically that was using a router that supported auto-update, but it didn't update itself with a fix for the vulnerability yet, couldn't you possibly use the DNS flaw to fool it into getting the update from one of your servers? Meaning, you could get the router to do pretty much anything you want, and a router can do a lot of bad stuff.

Trying to make something from nothing.

[danwesnor]

Yeah, but these devices are designed to name serve on the intranet, not the internet. Mine came with the default to ignore all traffic coming from the outside world.

Re:Trying to make something from nothing.

[icebraining]

No, they're not, according to the summary: "devices on the Internet that are configured to accept DNS queries from anywhere", "Almost all ISPs distribute a home DSL/cable device. Many of the devices have built-in DNS servers. These can sometimes ship in "open by default" states.'

Just because yours is closed by default, doesn't mean all are.

Re:Trying to make something from nothing.

[danwesnor]

OK, you're right, 1 of 1 is not enough to make an assumption. But of the 5 I've bought over the years from 3 different vendors, all 5 were shipped configured to accept DNS request from the intranet but block all requests of any type from the internet.

How does one test for this vulnerability?

[fragMasterFlash]

Several online tools were available to test for vulnerabilities on individual PCs back when Kaminsky discovered the sad state of DNS security. Is there a similar test for available for cable modems? How about a list of susceptible devices? I'd rather not put blind faith in my ISP to keep me out of harms way.