Open DNS resolver 指 Caching recursive DNS 伺服器對外公開(不限使用對象)提供名稱遞迴解析 (recursive name resolution)服務,可能產生以下問題:
為防治 open DNS resolver 問題,協助處理校園內電腦因設定不慎而可能遭攻擊者利用來發動網路攻擊,故本組建置 open DNS resolver 偵測系統,並將偵測結果提供各單位網管,以便轉知其使用者參考建議作法來修正設定及自行檢測問題是否解決,藉以減少本校網路內 open DNS resolver 的數量。
序號 | 單位 | IP 位址 | 偵測時間 | 備註 | ||
---|---|---|---|---|---|---|
1 | 計通中心-TWAREN SSL VPN | 140.114.252.xxx | 2024/12/15 17:40:05 | |||
2 | 計通中心-TWAREN SSL VPN | 140.114.252.xxx | 2024/12/17 15:40:01 | |||
3 | 計通中心-TWAREN SSL VPN | 140.114.252.xxx | 2024/12/14 00:01:06 | |||
總計摘 3 筆記錄 |
為方便本校使用者自行檢測其電腦或網路設備是否具有 open DNS resolver 的問題,特建置此即時的檢測服務,目前限由本校 IP 位址來進行檢測。(2013/08/30上線試用)
Check open dns resolver for the target IP 140.114.xx.xx Time: Wed Sep 11 09:10:11 2013 check_open_resolver: 140.114.xx.xx DIG: DIG: ; <<>> DiG 9.6-ESV-R7-P2 <<>> @140.114.xx.xx -t A isc.org DIG: ; (1 server found) DIG: ;; global options: +cmd DIG: ;; Got answer: DIG: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13648 DIG: ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 2 DIG: DIG: ;; QUESTION SECTION: DIG: ;isc.org. IN A DIG: DIG: ;; ANSWER SECTION: DIG: isc.org. 60 IN A 149.20.64.69 DIG: DIG: ;; AUTHORITY SECTION: DIG: isc.org. 1814 IN NS sfba.sns-pb.isc.org. DIG: isc.org. 1814 IN NS ns.isc.afilias-nst.info. DIG: isc.org. 1814 IN NS ams.sns-pb.isc.org. DIG: isc.org. 1814 IN NS ord.sns-pb.isc.org. DIG: DIG: ;; ADDITIONAL SECTION: DIG: ns.isc.afilias-nst.info. 54300 IN A 199.254.63.254 DIG: ns.isc.afilias-nst.info. 54300 IN AAAA 2001:500:2c::254 DIG: DIG: ;; Query time: 402 msec DIG: ;; SERVER: 140.114.xx.xx#53(140.114.xx.xx) DIG: ;; WHEN: Wed Sep 11 09:10:11 2013 DIG: ;; MSG SIZE rcvd: 184 DIG: CHECK : Is 140.114.xx.xx an open resolver? ANSWER: YES for 140.114.xx.xx REASON: IP 140.114.xx.xx should not reply the DNS request which does not belong to its authorized zone.
Check open dns resolver for the target IP 140.114.63.1 Time: Wed Sep 11 09:26:32 2013 check_open_resolver: 140.114.63.1 DIG: DIG: ; <<>> DiG 9.6-ESV-R7-P2 <<>> @140.114.63.1 -t A isc.org DIG: ; (1 server found) DIG: ;; global options: +cmd DIG: ;; connection timed out; no servers could be reached CHECK : Is 140.114.63.1 an open resolver? ANSWER: NO for 140.114.63.1 REASON: Cannot reach 140.114.63.1. If its power is off, please turn it on and check again.
Check open dns resolver for the target IP 140.114.63.10 Time: Wed Sep 11 09:27:47 2013 check_open_resolver: 140.114.63.10 DIG: DIG: ; <<>> DiG 9.6-ESV-R7-P2 <<>> @140.114.63.10 -t A isc.org DIG: ; (1 server found) DIG: ;; global options: +cmd DIG: ;; Got answer: DIG: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 7118 DIG: ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 DIG: ;; WARNING: recursion requested but not available DIG: DIG: ;; QUESTION SECTION: DIG: ;isc.org. IN A DIG: DIG: ;; Query time: 2 msec DIG: ;; SERVER: 140.114.63.10#53(140.114.63.10) DIG: ;; WHEN: Wed Sep 11 09:27:47 2013 DIG: ;; MSG SIZE rcvd: 25 DIG: CHECK : Is 140.114.63.10 an open resolver? ANSWER: NO for 140.114.63.10 REASON: Recursion requested but not available
為降低遭攻擊者利用機會,本中心提供 DNS 查詢服務,僅限本校IP位址使用。請各系所單位伺服器管理者參酌以下建議作法,拒絕對非限定使用者(校外IP位址)提供遞迴解析 (recursive resolution)的查詢服務,以避免 Open DNS resolver 問題。
acl nthu-nets { 140.114.0.0/16; 127.0.0.1/32; }; options { //(其他參數略...) // Recursive Name Server allow-query { nthu-nets; }; };
options { //(其他參數略...) // Authoritative-only Name Server recursion no; allow-query-cache { none; }; allow-query { any; }; };
適用 Caching recursive DNS 伺服器,以 ACL (access control list) 限制使用者來源 IP 位址,設定方式詳:BIND 設定的 acl 及 allow-query,以下為設定檔 named.conf 相關參數。
acl nthu-nets { 140.114.0.0/16; 127.0.0.1/32; }; options { //(其他參數略...) // Recursive Name Server allow-query { nthu-nets; }; };
適用Authoritative DNS 伺服器,設定限制遞迴查詢權限(recursive query),詳:BIND 設定的 recursion no,以下為設定檔 named.conf 相關參數。
options { //(其他參數略...) // Authoritative-only Name Server recursion no; allow-query-cache { none; }; allow-query { any; }; };
C:\Windows\system32>netstat -ab -p UDP 使用中連線 協定 本機位址 外部位址 狀態 UDP 0.0.0.0:500 *:* IKEEXT [svchost.exe] ... UDP 0.0.0.0:53 *:* XXXXX [yyyyy.exe] ...
有些網路設備(如:無線網路閘道器、IP分享器、或路由器)本身可能具有 open DNS resolver 問題,需適當調整設定或以防火牆來處理,由於網路設備的類型繁多,若您知悉某裝置該如何處理,歡迎提供設備廠牌、型號、軟(韌)體版本、及其設定方式的畫面,寄至 mucheng cc.nthu.edu.tw,以利製成以下網頁,嘉惠眾人,格式及文字可參考以下作法,謝謝!
# dig @140.114.63.1 google.com ; <<>> DiG 9.3.6-P1 <<>> @140.114.63.1 google.com ; (1 server found) ;; global options: printcmd ;; connection timed out; no servers could be reached
# dig @140.114.63.1 google.com ; <<>> DiG 9.3.6-P1 <<>> @140.114.63.1 google.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 741 ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;google.com. IN A ;; ANSWER SECTION: google.com. 116 IN A 173.194.72.101 google.com. 116 IN A 173.194.72.100 google.com. 116 IN A 173.194.72.113 google.com. 116 IN A 173.194.72.102 google.com. 116 IN A 173.194.72.138 google.com. 116 IN A 173.194.72.139 ;; AUTHORITY SECTION: google.com. 156701 IN NS ns4.google.com. google.com. 156701 IN NS ns1.google.com. google.com. 156701 IN NS ns2.google.com. google.com. 156701 IN NS ns3.google.com. ;; ADDITIONAL SECTION: ns1.google.com. 156702 IN A 216.239.32.10 ns2.google.com. 156702 IN A 216.239.34.10 ns3.google.com. 156703 IN A 216.239.36.10 ns4.google.com. 156702 IN A 216.239.38.10 ;; Query time: 35 msec ;; SERVER: 140.114.63.1#53(140.114.63.1) ;; WHEN: Wed Apr 17 14:54:15 2013 ;; MSG SIZE rcvd: 260