Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC: InfoSec Handlers Diary Blog - DNS queries for InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

DNS queries for

Published: 2009-01-18
Last Updated: 2009-01-22 19:48:29 UTC
by Daniel Wesemann (Version: 6)
51 comment(s)

Several folks are reporting odd queries hitting their DNS servers at a steady rate of about two per second.  The queries invariably ask for the name server of the domain "." (NS query for a single dot).   Since "." is a query for the root name servers, it has a very short query packet but a pretty long answer. Our current theory therefore is that this is a denial of service (DoS) attack in progress, where the DNS servers are used as "amplifiers" and unwittingly flood the (spoofed) source by providing a long answer to a system which never asked.

Update 0118 UTC: Correlations of logs and captures submitted by readers suggests that 69.50.142.11 and 76.9.16.171 are the two IPs from which most queries appear to originate... which would mean that these two sites are under a DoS attack.  ISC reader Chris used reverse DNS/passive DNS to determine that both IP addresses seem to be associated with porn sites.

Update 0253 UTC: The NOC of one of the netblocks has confirmed to ISC reader Steven that a DDoS attack is in progress against one of their clients. If you have queries for "." in your DNS log, best verify by use of a sniffer whether your DNS server actually responds and contributes to the DOS.  Normally, an internet-facing authoritative DNS server should not respond to recursive 3rd party queries, but we have received reports that some servers apparently respond to these "." queries even when recursion is disabled.

Update 1150 UTC: Several readers wrote in to comment that the answer to a "." query can come from the root-hints file or from the cache of the server itself. BIND has several options to control this behaviour (additional-from-auth, additional-from-cache, allow-query-cache).

Update 1520 UTC: 76.9.31.42,  69.50.142.110 and a couple more IPs are also being spoofed. Looks like more targets are being added into the fray.

Update 2117 UTC: We now provide an online tool on isc.sans.org that you can use to verify if your DNS server responds to these "." queries with a full list of root name servers and thus potentially contributes to the ongoing DDoS attack.  You can do this test readily on your own by issuing a "dig . NS @yournameserver" command, but since you need to run this from outside of your network to get the "real" picture, we are providing the online tool to help out.

Update: If you're looking for advice on securing your DNS servers, here's are configuration guidelines for BIND (thanks for the pointer, Hal Pomeranz!) and for Microsoft DNS.

Keywords: dns
51 comment(s)
Diary Archives