[Dnsmasq-discuss] DNSMasq and DNS reflection attacks

Thu Oct 24 17:28:29 BST 2013

On 24/10/13 17:03, Brian Rak wrote:
> We've recently undertaken a project to clean up our network, and lock
> down all the open DNS resolvers. As you may know, these are very
> frequently used for DDOS attacks: http://openresolverproject.org/ ,
> http://www.team-cymru.org/Services/Resolvers/ .
>
> I haven't been able to find any sort of configuration option that would
> prevent DNSMasq from being abused like this, and I've had to resort to
> iptables rules instead. Is there a configuration option that that would
> disable responding to DNS queries from certain interfaces? The other
> option that seems handy would be one to only reply to DNS queries from
> hosts that have a configured DHCP lease.
>
> Are there any features of DNSMasq that would prevent it from being
> abused to conduct attacks?
>

This is an important topic, and quite difficult to understand, so I'm 
going to take this opportunity to try and put a definitive statement on 
the record.

First the simple stuff.

Dnsmasq has --interface --except-interface and --listen-address 
configuration options that disable response to DNS queries from certain 
interfaces. The first thing that has to be done is to use these. Mostly 
it's the only thing that needs to done.

Now, the complicated stuff.

Under certain circumstances, --interface=<interface> degrades to mean 
the same as --listen-address=<address on interface>. For instance if 
eth0 has address 192.168.0.1 and dnsmasq is configured with 
--interface=eth0, then dnsmasq will reply to any query which is sent to 
192.168.0.1, no matter what interface it actually arrives at. The 
circumstance under which happens is when the --bind-interfaces flag is 
used.

Now, in the above example, this isn't a problem, since a botnet can't 
direct traffic to an RFC-1918 address. If, on the other hand, the 
address of an internal interface (ie one configured to accept DNS 
queries) is globally routable, then queries which arrive via another 
interface (ie one linked to the internet) with the destination address 
of the internal interface _will_ be replied to, and a DNS reflection 
attack is possible.

This has mainly been seen in libvirt and OpenStack installations which 
use dnsmasq, since sometimes they are provisioned with "real" addresses. 
I'd expect to see problems in the future with IPv6, since far more 
people will be using globally routable addresses with IPv6.

The reason that this happens is that --bind-interfaces uses the 
bare-minimum BSD sockets API only. Detecting which interface a packet 
arrived on, rather than the address to which it was sent, needs 
non-portable API, and is impossible on some platforms (openBSD, for 
instance) --bind-interfaces is a "works everywhere" least common 
denominator. It's also useful when you're running multiple instances of 
dnsmasq on one host, which is why most people use it.

The fix is to use either the default listening mode, or if running 
multiple instances, the new --bind-dynamic mode. --bind-dynamic is only 
available on Linux, and --bind-interfaces is the only mode available on 
openBSD, so BSD users have rather more problems here.

Summary. There's a problem is you want to accept queries in an internal 
interface with a globally routable address and use --bind-interfaces. 
The fix is to remove --bind-interfaces and, if necessary, replace it 
with --bind-dynamic. This fix is not applicable on all platforms,

The Real Soon Now 2.67 release logs a very prominent warning if the 
dangerous combination is configured.

Cheers,

Simon.