DNS Best Practices, Network Protections, and Attack Identification - Cisco Systems

12/1/2015
DNSBestPractices,NetworkProtections,andAttackIdentificationCiscoSystems
DNSBestPractices,NetworkProtections,andAttackIdentification
Contents
Overview
WhatisDNS?
MaliciouslyAbusingImplementationFlawsinDNS
ProtectionsforSpoofing
DetectingandPreventingDNSAttacksusingCiscoProductsandFeatures
DNSToolsandResources
Overview
Thiswhitepaperprovidesinformationongeneralbestpractices,networkprotections,andattackidentificationtechniquesthatoperators
andadministratorscanuseforimplementationsoftheDomainNameSystem(DNS)protocol.
WhatisDNS?
DNSisagloballydistributed,scalable,hierarchical,anddynamicdatabasethatprovidesamappingbetweenhostnames,IPaddresses
(bothIPv4andIPv6),textrecords,mailexchangeinformation(MXrecords),nameserverinformation(NSrecords),andsecuritykey
informationdefinedinResourceRecords(RRs).TheinformationdefinedinRRsisgroupedintozonesandmaintainedlocallyonaDNS
serversoitcanberetrievedgloballythroughthedistributedDNSarchitecture.DNScanuseeithertheUserDatagramProtocol(UDP)or
TransmissionControlProtocol(TCP)andhistoricallyusesadestinationportof53.WhentheDNSprotocolusesUDPasthetransport,it
hastheabilitytodealwithUDPretransmissionandsequencing.
DNSiscomposedofahierarchicaldomainnamespacethatcontainsatreelikedatastructureoflinkeddomainnames(nodes).Domain
namespaceusesResourceRecords(RRs)thatmayormaynotexisttostoreinformationaboutthedomain.Thetreelikedata
structureforthedomainnamespacestartsattherootzone".",whichisthetopmostleveloftheDNShierarchy.Althoughitisnot
typicallydisplayedinuserapplications,theDNSrootisrepresentedasatrailingdotinafullyqualifieddomainname(FQDN).For
example,therightmostdotin"www.cisco.com."representstherootzone.Fromtherootzone,theDNShierarchyisthensplitintosub
domain(branches)zones.
Eachdomainnameiscomposedofoneormorelabels.Labelsareseparatedwith"."andmaycontainamaximumof63characters.A
FQDNmaycontainamaximumof255characters,includingthe".".Labelsareconstructedfromrighttoleft,wherethelabelatthefar
rightisthetopleveldomain(TLD)forthedomainname.ThefollowingexampleshowshowtoidentifytheTLDforadomainname:
comistheTLDforwww.cisco.comasitisthelabelfurthesttotheright.
DomainNameSpace
ThefollowingdiagramillustratesasampleoftheDomainNameSystemhierarchystartingfromtheroot".".Everythingbelowthe".org"
domainnamespaceisintheorgdomainandeverythingbelow".cisco.com"domainnamespaceisinthecisco.comdomain.
Figure1.DomainNameSpace
TheDNSprotocolspecificationandimplementationwasoriginallydefinedinRFC882andRFC883.TheseRFCsweremadeobsolete
byRFC1034andRFC1035andhavebeenupdatedbymultipleRFCsovertheyears.
ImportantDNSTerminology
TounderstandDNSandtheDNSspecificrecommendationsinthisdocument,itisimportantthatoperatorsandadministratorsare
familiarwiththefollowingterms:
Resolver:ADNSclientthatsendsDNSmessagestoobtaininformationabouttherequesteddomainnamespace.
Recursion:TheactiontakenwhenaDNSserverisaskedtoqueryonbehalfofaDNSresolver.
AuthoritativeServer:ADNSserverthatrespondstoquerymessageswithinformationstoredinRRsforadomainnamespace
storedontheserver.
RecursiveResolver:ADNSserverthatrecursivelyqueriesfortheinformationaskedintheDNSquery.
FQDN:AFullyQualifiedDomainNameistheabsolutenameofadevicewithinthedistributedDNSdatabase.
RR:AResourceRecordisaformatusedinDNSmessagesthatiscomposedofthefollowingfields:NAME,TYPE,CLASS,TTL,
RDLENGTH,andRDATA.
Zone:Adatabasethatcontainsinformationaboutthedomainnamespacestoredonanauthoritativeserver.
PrimaryFunctionofDNS
DNSprimarilytranslateshostnamestoIPaddressesorIPaddressestohostnames.ThistranslationprocessisaccomplishedbyaDNS
resolver(thiscouldbeaclientapplicationsuchasawebbrowseroranemailclient,oraDNSapplicationsuchasBIND)sendingaDNS
querytoaDNSserverrequestingtheinformationdefinedinaRR.SomeexamplesoftheDNSresolutionprocessfollow:
IftheDNSserverisonlyconfiguredasanauthoritativeserveranditreceivesaDNSquerymessageaskingaboutinformationwhich
theserverisauthoritative,itwillcausetheservertoinspectlocallystoredRRinformationandreturnthevalueoftherecordinthe
'AnswerSection'ofaDNSresponsemessage.IftherequestedinformationfortheDNSquerymessagedoesnotexist,theDNS
serverwillrespondwithaNXDOMAIN(NonExistentDomain)DNSresponsemessageoraDNSReferralResponsemessage.
IftheDNSserverisauthoritative,notconfiguredasarecursiveresolver,anditreceivesaDNSquerymessageaskingabout
informationwhichtheserverisnotauthoritative,itwillcausetheservertoissueaDNSresponsemessagecontainingRRsinthe
'AuthoritySection'andtheaddressmappingfortheFQDNfromthatsectionmaybepresentinthe'AdditionalSection'.Thisinforms
theDNSresolverwheretosendqueriesinordertoobtainauthoritativeinformationforthequestionintheDNSquery.Thisisalso
knownasaDNSReferralResponsemessage.
IftheDNSserverisnotauthoritativebutisconfiguredasarecursiveresolveranditreceivesaDNSqueryaskingaboutinformation,
itwillcausetheservertorecursivelyquery(iterativequeries)theDNSarchitecturefortheauthoritativeDNSserveroftheinformation
includedintheDNSrequest.OncetherecursiveDNSresolverhasobtainedthisinformation,itwillprovidethatinformationtothe
originalDNSresolverusingaDNSresponsemessageandtheRRwillbenonauthoritative(sincetherecursiveDNSresolverisnot
authoritativefortherequestedinformation).TherecursiveDNSresolvermayalsohaveknowledgeabouttherequestedinformation
storedinDNScache.IftherequestedinformationispresentintheDNScache,thentherecursiveDNSresolverwillrespondwiththat
RRinformation.
Figure2illustratestheiterativeprocessusedbyaDNSrecursiveresolver(DNSRecursor,server)toanswertheDNSquerymessage
(question)onbehalfoftheDNSresolver(DNSResolver,client)andprovideaDNSqueryresponsemessage(answer).
Figure2.RecursiveQuery
1. TheDNSresolversendsaquerymessagetotherecursiveresolveraskingfortheaddressofwww.cisco.com.
2. TheDNSrecursorsendsaquerymessagetotherootnameserverslookingforthe.comdomainnamespace.
3. TherootnameserverssendaDNSreferralresponsemessagetotheDNSrecursorinformingittoaskthegTLDnameserversfor
the.comdomainnamespace.
4. TheDNSrecursorsendsaquerymessagetothegTLDnameserverslookingforthe.cisco.comdomainnamespace.
5. ThegTLDnameserverssendaDNSreferralresponsemessagetotheDNSrecursorinformingittoaskthe.cisco.comname
servers,ns1.cisco.comorns2.cisco.com,aboutthisdomainnamespace.
6. TheDNSrecursorsendsaquerytons1.cisco.comorns2.cisco.comaskingforwww.cisco.com.
7. The.cisco.comnameservers,ns1.cisco.comorns2.cisco.com,sendanauthoritativeDNSqueryresponsemessagetotheDNS
recursorwiththeA(address)RRinformationforwww.cisco.com.
http://www.cisco.com/web/about/security/intelligence/dnsbcp.html
1/8
12/1/2015
8. TheDNSrecursorsendsaDNSqueryresponsemessagetotheDNSresolverwiththeA(address)RRinformationfor
www.cisco.com.
DNSMessages
AlllegitimateDNSmessagessentorreceivedarecomposedofmultiplesections.ThesesectionsoftheDNSmessagecontainfieldsthat
determinehowthemessagewillbeprocessedbythedevicereceivingthemessage.Thesesectionsalsocontaininformationaboutthe
question(querymessages)adeviceisaskingoranswers(responsemessages)adevicemaybeproviding.Thesectionspresentina
DNSmessageareHeader,Question,Answer,Authority,andAdditional.
NotethattherearesituationswheresectionsoftheDNSmessagemaybeempty.Anexampleisa'DNSReferralResponseMessage',
inwhichtheAnswersectionisempty,buttheAuthorityandAdditionalsectionsarepresentandcontainRRinformation.
FormoreinformationaboutthesectionsofaDNSmessage,theirformat,andthefieldstheycontain,consultRFC1035,Section4.,
Messages.
MaliciouslyAbusingImplementationFlawsinDNS
FlawsintheimplementationoftheDNSprotocolallowittobeexploitedandusedformaliciousactivities.BecauseDNSissuchacritical
protocolforInternetoperations,countlessoperatingsystems,andapplications,operatorsandadministratorsmusthardenDNSservers
topreventthemfrombeingusedmaliciously.Someoftheseflawsarepresentedinthisdocumenttoinformoperatorshowtheycanbe
usedmaliciously.Techniquesaresharedthatcanbeusedtopreventthesetypesofactivities.
DNSOpenResolvers
ADNSopenresolverisaDNSserverthatallowsDNSclientsthatarenotpartofitsadministrativedomaintousethatserverfor
performingrecursivenameresolution.Essentially,aDNSopenresolverprovidesresponses(answers)toqueries(questions)from
anyoneaskingaquestion.DNSopenresolversarevulnerabletomultiplemaliciousactivities,includingthefollowing:
DNScachepoisoningattacks
DNScachepoisoningattacks
Resourceutilizationattacks
DenialofService(DoS)orDistributedDoS(DDoS)
DNSCachePoisoningAttacks
DNScachepoisoningoccurswhenanattackersendsfalsifiedandusuallyspoofedRRinformationtoaDNSresolver.OncetheDNS
resolverreceivesthefalsifiedRRinformation,itisstoredintheDNScacheforthelifetime(TimeToLive[TTL])setintheRR.Toexploit
thisflawintheDNSresolverimplementationsoitwillstorethefalsifiedinformation,anattackermustbeabletocorrectlypredicttheDNS
transactionidentifier(TXID)andtheUDPsourceportfortheDNSquery(request)message.Attackersusethisexploitationtechniqueto
redirectusersfromlegitimatesitestomalicioussitesortoinformtheDNSresolvertouseamaliciousnameserver(NS)thatisproviding
RRinformationusedformaliciousactivities.
DNSAmplificationandReflectionAttacks
DNSamplificationandreflectionattacksuseDNSopenresolverstoincreasethevolumeofattacksandtohidethetruesourceofan
attack,actionsthattypicallyresultinaDoSorDDoSattack.Theseattacksarepossiblebecausetheopenresolverwillrespondto
queriesfromanyoneaskingaquestion.AttackersusetheseDNSopenresolversformaliciousactivitiesbysendingDNSmessagesto
theopenresolversusingaforgedsourceIPaddressthatisthetargetfortheattack.WhentheopenresolversreceivethespoofedDNS
querymessages,theyrespondbysendingDNSresponsemessagestothetargetaddress.AttacksofthesetypesusemultipleDNS
openresolverssotheeffectsonthetargetdevicesaremagnified.
ResourceUtilizationAttacks
ResourceutilizationattacksonDNSopenresolversconsumeresourcesonthedevice.ExamplesofsuchresourcesincludeCPU,
memory,andsocketbuffers.Thesetypesofattackstrytoconsumeallavailableresourcestonegativelyimpactoperationsoftheopen
resolver.Theimpactoftheseattacksmayrequirethedevicetoberebootedoraservicetobestoppedandrestarted.
PreventDNSOpenResolverConfigurations
MultiplevendorshaveproductsthatimplementtheDNSprotocolandthatcanbeconfiguredasaDNSopenresolverintentionallyor
unintentionally.AconfiguredopenresolverexposedtotheInternetallowsanyonetosendDNSqueriestotheresolver.Theexamples
thatfollowareconfigurationsforsomevendorproductsthatarebroadlydeployedthroughouttheInternet.Theseexampleconfigurations
showhowtopreventaDNSserverfromactingasanopenresolver.
BerkeleyInternetNameDomain
BerkeleyInternetNameDomain(BIND),asoftwareproductofInternetSystemsConsortium,Inc.,implementstheDNSprotocolthatis
discussedinthisdocument.ThefollowingconfigurationscanbeappliedtoBINDsothattheDNSserverispreventedfromactingasan
openresolver.Theseconfigurationsareappliedinthe'named.conf'configurationfile.
Note:RecursionisenabledbydefaultforVersion9.5oftheBINDsoftwareandprior.BINDalsoallowsoperatorstodefineviewsthat
canusethefollowingconfigurationmethodsfordisablingrecursion.Viewsarenotdiscussedinthisdocument.
Note:TheexampleconfigurationsforBINDwilluseversion9.5.
1.DisableRecursion
//DisablerecursionfortheDNSservice
//
options{
recursionno;
};
2.PermitRecursionfromTrustedSources
//PermitrecursiveDNSqueriesforDNSmessageswithsource
//addressesinthe192.168.1.0/24netblock
//
options{
allowrecursion{192.168.1.0/24;};
};
3.PermitQueriesfromTrustedSources
//PermitDNSqueriesforDNSmessageswithsourceaddresses
//inthe192.168.1.0/24netblock.The'allowquerycache'
//optionsconfigurationcanalsobeusedtolimittheIP
//addressespermittedtoobtainanswersfromthecacheof
//theDNSserver.
//
//Note:Thefunctionof'allowquerycache'changedbetween
//BINDversion9.4and9.4.1.Additionalinformationabout
//usingthisoptionsconfigurationcanbefoundintheBIND
//9.5AdministratorReferenceManual(ARM).
//
options{
allowquery{192.168.1.0/24;};
};
4.PermitandDenyRecursionUsinganACL
//CreateanAccessList(ACL)definedas'recursivepermit'
//thatwillpermitdevicesintheACLtousetheDNSserver
//forrecursiveDNSqueries.
//
aclrecursivepermit{
192.168.1.0/24;10.0.1.0/24;172.16.1.0/24;172.31.1.0/24;
};
//CreateanAccessList(ACL)definedas'rfc5735deny'that
//willdenydevicesintheACLfromusingtheDNSserverfor
//recursiveDNSqueries.
2/8
12/1/2015
//
aclrfc5735deny{
0.0.0.0/8;10.0.0.0/8;169.254.0.0/16;172.16.0.0/12;
192.0.0.0/24;192.0.2.0/24;192.88.99.0/24;192.168.0.0/16;
198.18.0.0/15;198.51.100.0/24;203.0.113.0/24;224.0.0.0/4;
240.0.0.0/4;
//Apply'recursivepermit'ACLcreatedabovetotheoptions
//'allowquery'or'allowrecursion'configurationandthen
//applythe'rfc5735deny'ACLcreatedabovetothe'blackhole'
//configuration.
options{
//OutputTruncated.
allowrecursion{recursivepermit;};
allowquery{recursivepermit;};
//OutputTruncated.
blackhole{rfc5735deny;};
};
//The'blackhole'optionsconfigurationcanbeusedtoprevent
//theDNSserverfromacceptingqueriesforIPaddressesthat
//areexplicitlyconfiguredordefinedinanACL.Thisoption
//willalsopreventtheDNSserverfromusingdevicesdefined
//intheACLforresolvingqueries.The'blackhole'optionmay
//alsobeusedtopreventtheDNSserverfromsendingqueries
//toknownmaliciousDNSservers.
OtherconfigurationoptionsforBINDareavailableforlimitinghowdevicescanobtainanswerstorecursiveDNSmessages.Operators
canusethe'allowrecursionon'configurationoptiontoselectwhichaddressesontheDNSserverwillacceptrecursiveDNSqueries.
BINDalsoallowsoperatorstheabilitytoselectwhichaddressesontheDNSserverwillprovideanswersfromtheDNScacheusingthe
'allowquerycacheon'configurationoption.OperatorsmayalsoconfigureBINDtoonlylistenonspecificinterfacesusingthe'listenon'
or'listenonv6'optionsconfiguration.Foradditionalconfigurationoptions,consulttheBIND9.5AdministratorReferenceManualthatcan
beusedtosecureBIND.
Note:TeamCymrualsoprovidesaSecureBINDTemplatethatoperatorscanuseasaguideforhardeningtheirDNSservers.
DNSServerService
TheDNSServerserviceisasoftwareproductprovidedbyMicrosoftCorporationthatimplementstheDNSprotocol.Thefollowing
configurationscanbeappliedtotheDNSServerservicetopreventtheserverfromactingasanopenresolver.Theseconfigurationsare
appliedtotheDNSServerserviceeitherthroughtheWindowsuserinterface(UI)orfromthecommandline(CLI).
DNSServerservice:DisableRecursionusingWindowsUserInterface
ThefollowingstepsprovideinformationonhowtodisablerecursionfortheDNSServerserviceusingtheWindowsUserInterface(UI).
1. OpenDNSusingthefollowingprocedure:
LeftclickonStart
LeftclickonControlPanel
DoubleclickAdministrativeTools
DoubleclickDNS
2. Withintheconsoletree,rightclicktheDNSserverthatrecursionwillbedisabledforandthenselectProperties.
3. Next,leftclicktheAdvancedtab.
4. WithinServeroptions,selecttheDisablerecursioncheckboxandthenleftclickonOK.
DNSServerservice:DisableRecursionusingWindowsCommandLine
ThefollowingexampleprovidesinformationonhowtodisablerecursionfortheDNSServerserviceusingtheWindowsCommandLine)
CLI.
1. OpenaCommandPromptusingthefollowingprocedure:
LeftclickonStart
LeftclickonRun
TheRundialogboxwillappear
Typecmdinthetextboxtotherightof"Open:"
2. AttheCommandPrompt,issuethefollowingcommand:
DnsCmdServerName/Config/NoRecursion{1|0}
DnsCmd:ThisisthenameofthetoolusedfromtheCLItoperformadministrativetasksfortheDNSServerservice.
/Config:SpecifiesthattheargumentfortheDnsCmdcommandappliestotheconfigurationoftheDNSServerservice.
/NoRecursion:Specifiesthatanargumentof1or0willfollowtodisableorenablerecursionfortheDNSServerservice.
{1|0}ThisisthenameofthetoolusedfromtheCLItoperformadministrativetasksfortheDNSServerservice.
UsingeitherofthepreviousconfigurationexamplesfortheDNSServerservicewilldisablerecursionforallresolverssendingrecursive
DNSqueriestotheserver.Ifrecursionisdisabled,operatorswillnotbeabletouseDNSforwardersonthatserver.
MicrosoftprovidesadditionalinformationoperatorscanusetohardentheconfigurationoftheDNSServerservice.Moreinformationis
availableintheSecuringtheDNSServerserviceorSecurityInformationforDNSdocumentation.
MicrosoftWindowsalsoprovidesafeaturecalledDNSServerSecureCacheAgainstPollutionthatignorestheRRsinDNSresponse
messagesreceivedfromanonauthoritativeserver.NotethatthisfeatureisenabledbydefaultonWindows2000ServicePack3(SP3)
andWindowsServer2003,andthatusingthisfeaturewillalsoproducemorequeriessentfromtheDNSserver.
RandomizationforDNSTransactionIdentifier
DNSusestransactionIDs(TXID)fortrackingqueriesandresponsestoqueries.TheDNStransactionIDisa16bitfieldintheHeader
sectionofaDNSmessage.DNSimplementationsusethetransactionIDalongwiththesourceportvaluetosynchronizetheresponses
topreviouslysentquerymessages.FlawshavebeendiscoveredinDNSwheretheimplementationsdonotprovidesufficiententropyin
therandomizationofDNStransactionIDswhenissuingqueries.AttackersanalyzethetransactionIDvaluesgeneratedbytheDNS
implementationtocreateanalgorithmthatcanbeusedtopredictthenextDNStransactionIDusedforaquerymessage.Ifattackers
areabletopredictthenexttransactionIDusedintheDNSqueryalongwithsourceportvalue,theycanconstructandsend(spoof)DNS
messageswiththecorrecttransactionID.EventhoughtheDNSmessagesentbytheattackerisfalsified,theDNSresolveracceptsthe
queryresponsebecausethetransactionIDandsourceportvaluematchupwiththequerytheresolversent,resultingintheDNS
resolverscachebeingpoisoned.
Note:ThetransactionIDfieldfortheDNSprotocolisonly16bitsinlength,sothisvaluecanrangefrom0through65535.
DuringtheconfigurationofBINDforUnixandLinuxbasedsystems,itisrecommendedthatoperatorsuse/dev/randomwiththewith
randomdev=PATHargumenttotheconfigurescript./dev/randomisaspecialfileusedforgeneratingrandomnumbers,alsoknownas
randomnumbergenerator(RNG)orpseudorandomnumbergenerator(PRNG).Otheroperatingsystemimplementationsof
/dev/randomaredifferentandoperatorsshouldconsultthevendorsoperatingsystemdocumentationfordetailsonitsimplementation.
/dev/randomisrecommendedbecauseitcreatesanentropypool(agroupofrandombitsstoredinoneplace)forgenerating
unpredictablerandomnumbers.Oncethebitshavebeendepletedfromtheentropypool,anewpoolwillbecreatedcontainingrandom
3/8
12/1/2015
bits.Using/dev/randomwillassistBINDingeneratingrandomDNStransactionIDs.
Use/dev/randomWhenConfiguringBIND
[user@server~/bind9.5.0]$
[user@server~/bind9.5.0]$./configurewithrandomdev=/dev/random
.....<configurationoutputtruncated>.....
[user@server~/bind9.5.0]$
UDPSourcePortRandomizationinBIND
DNSusesboththesourceportvalueandtransactionIDfortrackingqueriesandtheresponsestoqueries.Flawshavebeendiscovered
inDNSwheretheimplementationsdonotprovidesufficiententropyintherandomizationoftheUDPsourceportwhenissuingqueries.
MalicioususerscananalyzethesourceportvaluesgeneratedbytheDNSimplementationtocreateanalgorithmthatcanbeusedto
predictthenextUDPsourceportvalueusedforaquerymessage.IfthenextUDPsourceportvalueusedintheDNSqueryalongwith
thetransactionIDcanbepredicted,anattackercanconstructandsendspoofedDNSmessageswiththecorrectUDPsourceport.
EventhoughtheDNSmessagesentbytheattackerisfalsified,theDNSresolveracceptsthequeryresponsebecausetheUDPsource
portvalueandtheDNStransactionIDmatchupwiththequerytheresolversent,resultingintheDNSresolverscachedbeingpoisoned.
Note:ThesourceportfieldfortheUDPprotocolisonly16bitsinlength,sothisvaluecanrangefrom0through65535.
ThefollowingconfigurationscanbeappliedtoBINDsotheDNSserverwillrandomizetheUDPsourceportforDNSmessages.Touse
theseconfigurations,applythemtotheoptionssectioninthe'named.conf'configurationfile.
ConfigurationUDPSourcePortRandomization
//The'querysource'and'querysourcev6'configurations
//optionallowstheoperatortoselecttheinterface(s)
//andUDPsourceportvalueusedforsendingDNSqueries.
//Ifavalueof'*'isusedforthesourceport,thena
//portwillbeusedfrompoolofrandomunprivilegedports.
//Queryportpoolsareusedbydefaultunlessaportvalue
//isexplicitlyconfigured.
//
options{
querysourceaddress*port*;
querysourcev6address*port*;
//AdditionalconfigurationoptionsareavailableforUDP
//sourceportrandomization.Thisisachievedthroughthe
//"queryport"optionsaddedtoversion9.5ofBIND.
//*usequeryportpool:Enabledbydefaultunlessthe
//portvalueisexplicitlyconfiguredforthequery
//sourceorquerysourcev6optionsconfiguration.
//*queryportpoolports:Defineshowmanyrandomports
//thepoolwillcontain.Thedefaultis8ports.
//*queryportpoolupdateinterval:Definesinminutes
//whenthequeryportpoolwillberecreated(select
//anewgroupofrandomunprivilegedports).The
//defaultis15minutes.
//
//Byincreasingthenumberofportsallocatedtothequery
//portpool,itwillbeharderformalicioususerstopredict
//thenextUDPsourceportusedinDNSqueries.Operators
//mayalsodecreasethetimeintervalfortherecreationof
//queryportpool,thusallowingforrandomportstobe
//selectedinshorterintervalsandmakingpredictability
//ofsourceportvalueshardertodetermine.
//
//Note:Operatorsshouldtestanynondefaultchangesprior
//todeployingtoproductionenvironments.
queryportpoolports<number>;
queryportpoolupdateinterval<number>;
};
MaliciouslyAbusingResourceRecordTimeToLive
WhenaDNSresolversendsaqueryaskingforinformation,anauthoritativeoranonauthoritativeservermayrespondwithaDNS
queryresponsemessageandtherelevantresourcerecord(RR)dataoranerror.TheRRcontainsa32bitTimeToLive(TTL)field
usedtoinformtheresolverhowlongtheRRmaybecacheduntiltheresolverneedstosendaDNSqueryaskingfortheinformation
again.ThisfieldcanbeusedmaliciouslybysettingthevalueforanRRtoashortorlongTTLvalue..ByusingashortTTLvalue,
malicioususerscanleverageDNStodistributeinformationaboutalargenumberofdeviceshostingmaliciouscodeorbeingusedfor
maliciousactivitiestoDNSresolvers.ThehostnametoIPaddressmappingfordevicesintherequesteddomainnamespacewillrapidly
change(usuallyanywherefromseveralsecondstoafewminutes).ThisisknownasaFastFlux(FF)network.AbusingtheTTLvalue
usingthistechniqueforanRRinaDNSqueryresponsemessagesisknownasSingleFlux.Thismalicioustechniquemakesitdifficult
foroperatorstousetracebackmethodsandidentifycompromisedhostsparticipatingintheFastFluxnetwork.
AnothermultifacetedtechniqueusedbyattackersistorapidlychangehostnametoIPaddressmappingsforbothDNSA(address)RRs
andDNSNS(nameserver)RRs,creatingaDoubleFlux(DF)network.
AdditionalinformationaboutFastFluxisavailableinKnowYourEnemy:FastFluxServiceNetworks.
AnotherpotentiallymalicioususeofashortTTLisusingavalueof0.ThisvalueinformstheDNSresolverthattheRRinformation
receivedintheDNSqueryresponsemessageshouldnotbestoredinthecacheoftheresolver.
Note:DNSSOARRsarealwaysdistributedtoresolverswithaTTLvalueof0.
AttackerscanalsouselongTTLvaluesforRRssothatDNSresolverswillcachetheinformationreceivedinthequeryresponse
messageforanextendedperiodoftime.ThistechniquecanbeusedforstoringmaliciousRRinformationinthecacheofaresolverfor
anextendedperiodoftime.Iftheresolverisarecursiveoropenresolver,thenitcandistributetheRRsforthemalicioushosttomany
resolverclients,thusallowinguseformaliciousactivities.ThismethoddiffersfromtheFastFluxtechniquethatusesashortTTLvalue
andoperatorsareabletousetracebacktechniquestomoreeasilyidentifymalicioushostsdistributingthisinformation.
TopreventaDNSserverfromstoringRRinformationinthecacheoftheresolverforthevalueoftheTTLreceivedintheDNSquery
responsemessage,thefollowingoptionsconfigurationscanbeusedforBIND.
MaximumCacheLengthforRRs
//The'maxcachettl'configurationsoptionallowsthe
//operatortodefinetheamountoftimetheDNSserver
//willstoreRRinformationintheresolvercache.
//
//Note:Operatorsshouldtestanynondefaultchanges
//priortodeployingtoproductionenvironments.
options{
maxcachettl<number>;
};
MaximumCacheSize
//The'maxcachesize'configurationsoptionallowsthe
4/8
12/1/2015
//operatortodefinetheamountmemoryaDNSserverwill
//useforstoringRRinformationintheresolvercache.
//Whendatastoredincachehasreachedtheconfigured
//memorylimit,BINDwillpurgeRRinformationfromthe
//cachetostorenewRRinformation.
//
//Note:Ifthisoptionsconfigurationissettoalow
//value,itmaycausetheDNSservertoissuequeries
//moreoftensinceentriesstoredinthecachewillbe
//purgedquicker.Thisisdependentontheamountof
//queriestheDNSserverprocesses.
//
//Note:Operatorsshouldtestanynondefaultchangesprior
//todeployingtoproductionenvironments.
options{
maxcachesize<number>;
};
SegregatingAuthoritativeandRecursiveResolvers
Authoritativeandrecursiveresolvershavedifferentprimaryfunctions.AnauthoritativeDNSserverdistributesinformationtoDNS
resolversforauthorativedomainnamespace.ArecursiveresolverrecursivelywalksthroughtheDNSarchitectureandlocatesthe
authoritativeDNSserverfortheinformationintheDNSquery(questionasked),thendistributesananswerorerrorforthatinformation
usingaDNSqueryresponsemessagetotheresolverwhoaskedthequestion.
Becausethefunctionsoftheseresolversareusedfordifferentpurposes,theresolversshouldbesegregated.
AuthoritativeDNSserversshouldbeusedonlyforrespondingtoqueriesfordomainnamespaceforwhichtheserveris
administrative.Queriesfromanyone(queriessourcefromtheInternet)maybeallowedforinformationweknow(authoritativeRRs).
RecursiveDNSserversshouldbeusedonlyforrespondingtoqueriesfromDNSresolversinsideitsadministrativedomain.Queries
fromknownsources(clientsinsideyouradministrativedomain)maybeallowedforinformationwedonotknow(forexample,for
domainnamespaceoutsideouradministrativedomain).
AuthoratativeandrecursiveresolverfunctionsshouldbesegregatedbecauseauthoritativeDNSserversprimarilydistributeinformation
abouthostsaccessibleviatheInternetandtheyarealsoaccessibleviatheInternetfordistributingthisinformation.Bycombiningthese
resolverfunctionsonasingleDNSserverandallowingtheservertobeaccessibleviatheInternet,malicioususerscouldemploythe
authoritativeDNSserverinamplificationattacksoreasilypoisontheDNScache.ArecursiveDNSresolvermustbeprotectedfromthe
InternetandonlytrustedsourcesshouldbeabletosendDNSqueries.OneapproachforcontrollingwhatDNSqueriesarepermittedto
exitthenetworkunderanoperatorscontrolistoonlyallowDNSqueriessourcedfromtheinternalrecursiveDNSresolvers.
DomainNameSystemSecurityExtensions
DNSSecurityExtensions(DNSSEC)addssecurityfunctionstotheDNSprotocolthatcanbeusedtopreventsomeoftheattacks
discussedinthisdocumentsuchasDNScachepoisoning.DNSSECaddsdataoriginauthenticationanddataintegritytotheDNS
protocol.DNSSECspecifications,implementation,andoperationalinformationisdefinedinmultipleRFCs.
RFC4033:DNSSecurityIntroductionandRequirements
RFC4034:ResourceRecordsfortheDNSSecurityExtensions
RFC4035:ProtocolModificationsfortheDNSSecurityExtensions
RFC5155:DNSSecurity(DNSSEC)HashedAuthenticatedDenialofExistence
RFC4310:DomainNameSystem(DNS)SecurityExtensionsMappingfortheExtensibleProvisioningProtocol(EPP)
RFC4641:DNSSECOperationalPractices
ProtectionsforSpoofing
TheDNSprotocolleveragestheUserDatagramProtocol(UDP)forthemajorityofitsoperations.UDPisaconnectionlessprotocoland,
assuch,itcanbeeasilyspoofed.Manyoftheattacksdescribedinthisdocumentrelyonspoofingtobesuccessful.
Severalsecuritycontrolscanbeimplementedtolimitspoofing.Thesecontrolsaredescribedinthefollowingsections.
UnicastReversePathForwarding
UnicastReversePathForwarding(UnicastRPF)isafeaturethatcanreducetheeffectivenessofpacketswithspoofedsource
addresses.AnetworkdeviceusingUnicastRPFevaluatesthesourceofeachIPpacketagainstitslocalroutingtableinorderto
determinesourceaddressvalidity.Whileitcandetectandfiltersomespoofedtraffic,UnicastRPFdoesnotprovidecompleteprotection
againstspoofingbecausespoofedandvalidpacketswiththesamesourceaddressmayarriveonthesameinterface.
UnicastRPFoperatesintwomodes:strictandloose.Instrictmode,theUnicastRPFfeatureusesthelocalroutingtabletodetermineif
thesourceaddresswithinapacketisreachablethroughtheinterfaceonwhichthepacketwasreceived.Ifitisreachable,thepacketis
permittedifitwasnot,thepacketisdropped.StrictmodeUnicastRPFisbestdeployedonnetworkboundarieswheretrafficasymmetry
isnotprevalent.
StrictmodeUnicastRPFisenabledonCiscoIOSdevicesusingtheinterfaceconfigurationcommandipverifyunicastsource
reachableviarxthepreviousformatofthiscommandwasipverifyunicastreversepath.StrictmodeUnicastRPFcanbeenabled
ontheCiscoPIX,ASA,andFWSMfirewallsusingtheipverifyreversepathinterfaceinterfaceconfigurationcommand.
InloosemodeUnicastRPF,ifthesourceaddressofapacketisreachablethroughanyinterfaceontheUnicastRPFenableddevice,
thepacketispermitted.IfthesourceaddressoftheIPpacketisnotpresentintheroutingtable,thepacketisdropped.Loosemode
UnicastRPFcanbeenabledonCiscoIOSdevicesusingtheipverifysourcereachableviaanyinterfaceconfigurationcommand
loosemodeUnicastRPFisnotavailableonCiscoPIX,ASAorFWSMfirewalls.
MoreinformationaboutUnicastRPFisavailableintheAppliedIntelligenceUnderstandingUnicastReversePathForwardingwhitepaper.
IPSourceGuard
IPsourceguardisaLayer2securityfeaturethatbuildsuponUnicastRPFandDHCPsnoopingtofilterspoofedtrafficonindividual
switchports.DHCPsnooping,whichisaprerequisiteofIPsourceguard,inspectsDHCPtrafficwithinaVLANtounderstandwhichIP
addresseshavebeenassignedtowhichnetworkdevicesonwhichphysicalswitchport.Oncethisinformationhasbeengatheredand
storedintheDHCPsnoopingbindingstable,IPsourceguardisabletoleverageittofilterIPpacketsreceivedbyanetworkdevice.Ifa
packetisreceivedwithasourceaddressthatdoesnotmatchtheDHCPsnoopingbindingstable,thepacketisdropped.
TheimplementationofIPsourceguardwithintheaccesslayerofanetworkcaneffectivelyeliminatetheoriginationofspoofedIPtraffic.
However,becauseitrequiresDHCPtoremainmanageable,itisnotpossibletodeployIPsourceguardoninternaltoexternalnetwork
boundaries.
ThefollowingexampleillustratestheconfigurationofIPsourceguardoninterfaceFastEthernet0/10whichhasbeenassignedtoVLAN
100:
!
!EnableDHCPsnoopingonVLAN100
!
ipdhcpsnooping
ipdhcpsnoopingvlan100
!
!EnableIPsourceguardonFastEthernet0/10
!
interfaceFastEthernet0/10
switchport
switchportmodeaccess
switchportaccessvlan100
ipverifysource
!
SeeConfiguringDHCPFeaturesandIPSourceGuardformoreinformationonIPsourceguard.
AccessControlLists
ManuallyconfiguredAccessControlLists(ACLs)canprovidestaticantispoofingprotectionagainstattacksthatutilizeunusedor
untrustedaddressspace.Commonly,theseantispoofingACLsareappliedtointerfacesintheingressdirectionfortrafficreceivedat
5/8
12/1/2015
networkboundariesasacomponentofamorecomprehensiveACL.Spoofingcanbeminimizedintrafficoriginatingfromthelocal
networkbyapplyingACLsthatuseAccessControlEntries(ACEs)whichlimitthetraffictoonlyvalidlocaladdresses.
TheexamplethatfollowsdemonstrateshowACLscanbeusedinordertolimitIPspoofing.TheACLisappliedinboundonthedesired
interface.TheACEsthatmakeupthisACLarenotcomprehensive.IfyouconfigurethesetypesofACLs,seekanuptodatereference
thatisconclusive.
!
ipaccesslistextendedACLANTISPOOFIN
deny
ip10.0.0.00.255.255.255any
deny
ip192.168.0.00.0.255.255any
!
interfaceEthernet0/0
ipaccessgroupACLANTISPOOFINin
!
RefertoConfiguringCommonlyUsedIPACLsformoreinformationonhowtoconfigureAccessControlLists.
TheofficiallistofunallocatedInternetaddressesismaintainedbyTeamCymru.Additionalinformationaboutfilteringunusedaddressesis
availableattheBogonReferencePage.
DetectingandPreventingDNSAttacksusingCiscoProductsandFeatures
TheASA,PIX,andFWSMfirewallproducts,CiscoIntrusionPreventionSystem(IPS)andCiscoIOSNetFlowfeature,provide
capabilitiestoaidinidentificationandmitigationforDNSrelatedattacks.Thefollowingsubsectionsprovideanoverviewofhoweach
deviceorfeaturecanbeutilized.
CiscoASAandFWSMfirewalls
TheCiscoASA,PIXandFWSMFirewallshaveseveralfeaturesthatcanbeutilizedtominimizeattacksagainsttheDNSprotocol.The
followingsubsectionswillprovideanoverviewofthesefeaturesandthecapabilitiestheycanprovide.
AttackMitigationCapabilities:
QueryandResponseVerification
DNScachepoisoningattackscommonlyusemultipleresponsestoeachqueryastheattackerattemptstopredictorbruteforcethe
transactionIDandtheUDPsourceporttocorrupttheDNScache.TheDNSguardfunctioninspectsandtearsdownanexistingDNS
connectionassociatedwithaDNSqueryassoonasthefirstDNSresponsemessageisreceivedandforwardedbythefirewall.The
firewallalsomonitorsthemessageexchangetoensurethatthetransactionIDoftheDNSreplymatchesthetransactionIDoftheinitial
DNSquery.Forthefirewalltosuccessfullymitigatecachepoisoningattacks,boththeinitialDNSqueryandthesubsequentnon
maliciousDNSresponsewillneedtotransitthefirewall.IntheunlikelyoccurrencethatthemaliciousDNSresponsearrivesfirstandwith
thecorrecttransactionID,thenthefirewallisunabletopreventDNScachepoisoningtypeattacks.
EnablingDNSguardthrougheitherthecommandlineDNSGuardfunctionorDNSapplicationinspectionprovidespreventivecontrols
againstDNScachepoisoningattacks.ThisfeatureisenabledbydefaultandisavailableonCiscoASA,CiscoPIXandCiscoFWSM
Firewalls.
TransactionIDrandomization
SomeDNSimplementationsuseaweakrandomizationalgorithmtogenerateDNStransactionIDsforDNSquerymessages.This
makestheseimplementationspronetocachepoisoningandspoofingattacks.Theidrandomizationparameterssubmodecommand
forpolicymaptypeinspectdnscanbeusedtorandomizetheDNStransactionIDforaDNSquery.ThisfunctionwillhardenDNS
implementationswithweakrandomizationalgorithms.
Thisfeatureisavailablebeginningwithsoftwarerelease7.2(1)forCiscoASAandCiscoPIXFirewalls.Thisfunctionisdisabledby
defaultontheASAandPIXfirewalls.ThisfeatureisnotsupportedontheFWSMfirewalls.
DNSHeaderFlagFiltering
DNScachepoisoningattacksuseDNSopenresolverswhenattemptingtocorrupttheDNScacheofvulnerableresolvers.TheDNS
messagessenttoopenresolverssettherecursiondesired(RD)flagintheDNSheader.UtilizingtheDNSapplicationinspectionflag
filteringfeature,theseattackscanbeminimizedbydroppingDNSmessageswiththeRDflagpresentintheDNSheader.
Thisfeatureisavailablebeginningwithsoftwarerelease7.2(1)forCiscoASAandCiscoPIX500Firewalls.Thisfunctionisnotavailable
onFWSMFirewalls.Thisfunctionisdisabledbydefault.
DNSmessagesizelimitations
DNSamplificationandreflectionattacksaremoreeffectivewhenleveraginglargeDNSmessagesthansmallDNSmessagesizes.The
messagelengthparameterssubmodecommandforpolicymaptypeinspectdnscanbeusedtoensurethatmessagesizestonot
exceedaspecifiedsizethusreducingtheefficiencyoftheseattacks.
Thisfeatureisavailablebeginningwithsoftwarerelease7.2(1)forCiscoASAandCiscoPIXFirewalls.Thisfeatureisavailablebeginning
withsoftwarerelease3.1forFWSMFirewalls.Thisfunctionisenabledbydefaultwithalimitof512bytes.
Note:AlthoughuseofthiscommanddoesreducethepossibilityofbeingavictimofaDNSAmplificationDenialofServiceattack,itis
morelikelytopreventtheDNSserverfromusedaspartofthesourceofaDNSAmplificationattack.
FeatureOverview
DNSGuard
Beginningwithsoftwarerelease7.0(5)forCiscoASA5500SeriesandCiscoPIX500Series,andsoftwarerelease4.0fortheFWSMthe
DNSguardfunctioncanbecontrolledthroughthednsguardglobalconfigurationorthednsguardparameterssubmodecommandfor
policymaptypeinspectdns.ForCiscoASA5500andCiscoPIX500Firewallsthatarerunningreleasespriorto7.0(5)andforthe
FWSMFirewallreleasespriorto4.0,theDNSguardfunctionisalwaysenabled,anditcannotbeconfiguredthroughthiscommand.The
configurationofthisfeature,whenconfigurable,willbedetailedlaterinthefeatureconfigurationsection.
DNSApplicationInspection
Applicationlayerprotocolinspectionisavailablebeginninginsoftwarerelease7.0fortheCiscoASA5500andCiscoPIX500Series
Firewallsandinsoftwarerelease3.1fortheFWSMFirewall.ConfigurationofDNSapplicationinspectioncapabilitieswillbedetailedlater
inthefeatureconfigurationsectionofthisdocument.
Caution:Applicationlayerprotocolinspectionwilldecreasefirewallperformance.Thisfeatureshouldbetestedinalabenvironment
beforedeploymentinproductionenvironments.
FeatureConfiguration
DNSGuardConfiguration
TodeterminewhethertheDNSguardfunctionisenabledglobally,lookforthefollowingstringinthefirewallconfigurationforsoftware
releases7.0(5)andlaterforCiscoASA5500SeriesandCiscoPIX500Seriesappliances:
firewall#showrunningconfigdnsguard
dnsguard
firewall#
IftheDNSguardfunctionhasbeendisabledglobally,itcanbereenabledusingthefollowingcommandsforsoftwarereleases7.0(5)and
laterforCiscoASA5500SeriesandCiscoPIX500Seriesappliances:
firewall#configureterminal
firewall(config)#dnsguard
firewall(config)#exit
firewall#
Insoftwarereleases7.2(1)andlaterfortheCiscoASA5500SeriesandCiscoPIX500Seriesappliances,administratorscanenable
DNSguardfunctionalitythroughDNSapplicationinspectionandtheModularPolicyFramework(MPF).ConfigurationofDNSGuard
throughDNSapplicationinspectionandMPFwillbedemonstratedinthefollowingDNSapplicationinspectionconfigurationsection.
DNSApplicationInspectionConfiguration
DNSapplicationinspectionutilizestheModularPolicyFramework(MPF)forconfiguration.Toconfigureapplicationinspection,
administratorsmayconstructaninspectionpolicythroughtheconfigurationofinspectclassmapsandinspectpolicymaps,whichare
appliedviaaglobaloraninterfaceservicepolicy.Thefollowingexampledemonstratesconfigurationofthisfeature.
AdditionalinformationaboutDNSapplicationinspectionandtheModularPolicyFrameworkisavailableinHowDNSApplication
InspectionWorks.
AdditionalinformationaboutapplicationlayerprotocolinspectionisavailableinConfiguringApplicationLayerProtocolInspection.
6/8
12/1/2015
!
classmapinspection_default
matchdefaultinspectiontraffic
!
policymaptypeinspectdnspreset_dns_map
parameters
!
!EnablednsguardtoverifythatDNSqueryand
!responsetransactionIDsmatchandonlyoneDNS
!responseisallowedthroughthefirewallfor
!eachquery.
!
dnsguard
!
!Enableidrandomizationtogenerateunpredictable
!DNStransactionIDsinDNSmessagesandprotect
!DNSserversandresolverswithpoorrandomization
!ofDNStransactionIDs.
!
idrandomization
!
!EnableamaximummessagelengthtohelpdefeatDNS
!amplificationattacks.Note:Thisisthedefault
!configurationandvaluebasedonRFC1035.
!
messagelengthmaximum512
!
!EnableidmismatchtocountDNStransactionID
!mismatcheswithinaspecifiedperiodoftime
!andgenerateasyslogwhenthedefinedthreshold
!hasbeenreached.
!
idmismatchcount10duration2actionlog
exit
!
!CheckforDNSquerymessageswiththerecursion
!desired(RD)flagsetintheDNSheaderanddrop
!thosepacketstoavoidbeingusedasarecursive
!resolver.
matchheaderflagRD
drop
!
policymapglobal_policy
classinspection_default
inspectdnspreset_dns_map
CLIOutputTruncated
!
servicepolicyglobal_policyglobal
!
DNSAttackIdentification
DNSServicePolicyIdentification
WhentheDNSguard,DNSIDrandomization,DNSIDmismatch,andDNSprotocolenforcementfunctionsfortheDNSapplication
inspectionfeatureareenabled,theshowservicepolicyinspectcommandwillidentifythenumberofDNSpacketsinspectedordropped
bythesefunctionsandthisfeature.Exampleoutputforshowservicepolicyinspectdnsfollows
!Outputforservicepolicyappliedglobally
!
firewall#showservicepolicyinspectdns
Globalpolicy:
Servicepolicy:global_policy
Classmap:inspection_default
Inspect:dnspreset_dns_map,packet37841,drop0,resetdrop0
messagelengthmaximum512,drop0
dnsguard,count21691
protocolenforcement,drop0
natrewrite,count0
idrandomization,count21856
idmismatchcount10duration2,log2
firewall#
!Outputforservicepolicyappliedperinterface
!
firewall#showservicepolicyinspectdns
Interfaceoutside:
dnsguard,count2147
natrewrite,count0
Interfaceinside:
dnsguard,count88
natrewrite,count0
firewall#
SyslogIdentification
Inthefollowingexample,theshowlogging|grepregexcommandextractssyslogmessagesfromtheloggingbufferonthefirewall.
Thesemessagesprovideadditionalinformationaboutdeniedpackets.Itispossibletousedifferentregularexpressionswiththegrep
keywordtosearchforspecificdataintheloggedmessages.
Firewallsyslogmessage410002willbegeneratedwhenthefirewalldetectsahighrateofDNSresponseswithamismatchedDNS
transactionID.Thethresholdforthisfunctionissetbytheidmismatchparameterssubmodecommandforpolicymaptypeinspect
dns.AdditionalinformationaboutthissyslogmessageisavailableinCiscoSecurityApplianceSystemLogMessage410002.
Firewallsyslogmessage106007willbegeneratedwhenthefirewalldetectsthataDNSresponsemessagehasalreadybeenreceived
foraDNSquerymessageandtheconnectionentryhasbeentorndownbytheDNSguardfunction.Thissyslogmessageindicatesthat
theDNSresponsemessagereceivedhasbeendenied.AdditionalinformationaboutthissyslogmessageisavailableinCiscoSecurity
7/8
12/1/2015
ApplianceSystemLogMessage106007.
AdditionalinformationaboutregularexpressionsyntaxisavailableinUsingtheCommandLineInterface.
firewall#Ashowlogging|grep(106007|410002)
Mar31200800:29:18:%ASA2410002:Dropped189DNSresponseswith
mismatchedidinthepast10second(s):fromoutside:192.0.2.2/3917
toinside:192.168.60.1/53
Mar31200800:29:13:%ASA2106007:DenyinboundUDPfrom192.0.2.2/2875
to192.168.60.1/53duetoDNSResponse.
firewall#
Foradditionalinformationaboutinvestigatingincidentsusingsyslogevents,referencetheIdentifyingIncidentsUsingFirewallandIOS
RouterSyslogEventsAppliedIntelligencewhitepaper.
InformationaboutconfiguringsyslogfortheCiscoASA5500SeriesAdaptiveSecurityApplianceortheCiscoPIX500SeriesSecurity
ApplianceisavailableinConfiguringLoggingontheCiscoSecurityAppliance.InformationaboutconfiguringsyslogontheFWSMfor
CiscoCatalyst6500SeriesswitchesandCisco7600SeriesroutersisavailableinConfiguringMonitoringandLoggingontheCisco
FWSM.
AcceleratedSecurityPathIdentification
TheshowaspdropframecommandcanidentifythenumberofDNSpacketsthattheDNSguardfunction(withthecountername
inspectdnsidnotmatched)hasdroppedbecausethetransactionIDintheDNSresponsemessagedoesnotmatchanytransaction
IDsforDNSqueriesthathavepassedacrossthefirewallearlieronthesameconnection.Asshowninthefollowingexample,thecounter
inspectdnsidnotmatchedisrepresentedinthecommandoutputasDNSInspectidnotmatched:
firewall#showaspdropframe
DNSInspectidnotmatched182
Flowisdeniedbyconfiguredrule855
Expiredflow1
Interfaceisdown2
firewall#
Intheprecedingexample,theDNSguardfunctionhasdropped182DNSresponsemessagepacketsduetoanincorrectDNS
transactionIDoraDNSresponsemessagewiththecorrecttransactionIDhasalreadybeenreceived.
Foradditionalinformationaboutdebuggingacceleratedsecuritypath(ASP)droppedpacketsorconnections,referencetheCisco
SecurityApplianceCommandReferenceforshowaspdrop.
CiscoIPS
TheCiscoIPSprovidesseveralsignaturestodetectapplicationspecificvulnerabilitiessuchasbufferoverflowvulnerabilitiesaswellas
informationalDNSsignaturesthatmaybeindicativeofreconnaissanceorprobing.Inadditiontotheseapplicationspecificsignatures,
anomalybasedsignaturescanprovidecoverageforvulnerabilitiessuchasamplificationattacksorcachepoisoning,wheretherateof
DNStransactionsarelikelytovarysignificantly.
ThefollowingtableliststheDNSspecificsignaturesprovidedontheCiscoIPSappliancewithsignaturepackS343.
Table1.DNSSpecificSignaturesProvidedontheCiscoIPSAppliancewithSignaturePackS343
8/8

DNS Best Practices, Network Protections, and Attack Identification - Cisco Systems

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DNS Best Practices, Network Protections, and Attack Identification - Cisco Systems

Uploaded by

Copyright:

Available Formats

12/1/2015

You might also like