DNS – Domain Name System which let us to create custom domain name. This tools helps us to easily remember visited website address. This can be described as phone book in your mobile/smart phone, you have name for those numbers. Think of it as a translator that bridges both divides of the human and computer.

The domain has to be a Fully Qualified Domain Name (FQDN), which is the correctly designed name for a domain. That means that the domain has both a hostname and a domain name. Let’s say we’re trying to reach DNS Heficed mail servers, which are hypothetically located at mail.heficed.com

Hostname – mail.

Domain name - Heficed.com

Query - mail.heficed.com

DNS Records Explained - Domain Name System Management:

Type

Explanation

A Record

Assigns an address for your domain to a specific IP

CNAME Alias

A hostname which pointing to another hostname

MX Record

A hostname that defines mail receiving server (s)

NS Record

A hostname that points to specific name server

Private Name Server

Let us to create custom server name

TXT/SPF Record

Sender Policy Framework which helps to reduce spam and domain spoofing

Open DNS Resolver

A DNS (Domain Name System) Open-resolver is a DNS server that accepts recursive queries from all IP addresses and is exposed to the Internet. A DNS Open-resolver listens on port 53/TCP and port 53/UDP.

A DNS Open-resolver can be abused for DNS Amplification attacks against third parties. A DNS amplification attack is a form of Denial of Service Attack (DoS) in which an attacker uses a DNS Open-resolver to send large amounts of unwanted traffic to a victim bottlenecking their capacity to respond.

Requests are also used often in email dispatch and email transmission: Many mail servers use the technique to verify that received messages do not come from a spam server. The PTR records of the respective sending servers are requested for this purpose. If the entered email domain does not match the sender address or there is no reverse DNS entry at all, a message will be marked as spam.

The simplest way to protect your system from being abused like this is to limit the addresses your server will perform recursive lookups for to your local subnets. (The specifics of which depend on which DNS server you're using, of course).

DNS Open-resolvers are also vulnerable to Cache Poisoning and can be exploited in other types of DNS attacks, such as DNS tunneling, DNS hijack attack, NXDOMAIN attack, Random subdomain attack and Phantom domain attack.

Most open resolvers per AS number (as of 2020):

How to Fix Open DNS Resolvers:

The simplest way to protect your system from being abused like this is to limit the addresses your server will perform recursive lookups for to your local subnets. (The specifics of which depend on which DNS server you're using, of course).

Block external DNS requests with a firewall, such as the built in Windows firewall:

1. Navigate to Firewall > Rules, LAN tab.

2. Create the block rule as the first rule in the list: Click Add to create a new rule at the top of the list.

3. Create the pass rule to allow DNS to the firewall, above the block rule: Click Add to create a new rule at the top of the list.

4. Click Apply Changes to reload the ruleset.

Disable Recursion

Disabling recursion:

Windows

1. Open DNS Manager.

2. In the console tree, right-click the applicable DNS server, then click Properties.

3. Where?

4. DNS/applicable DNS server

5. Click the Advanced tab.

6. In Server options, select the Disable recursion check box, and then click OK

Linux/Ubuntu/Debian

On Debian/Ubuntu based Linux systems, the port mapper service can be removed using the following command on Terminal:

# apt-get remove rpcbind

BIND 9.X DNS Servers

Add the following lines to the options section of /etc/bind/named.conf.options

allow-transfer {"none";};

allow-recursion {"none";};

recursion no;

CentOS

1.Login to your server using your root credentials

2.Locate named.conf

3. Change from Recursion yes; to Recursion no;

Amplification attack/SMURF attack

A SMURF attack involves an attacker sending ICMP requests (i.e., ping requests) to the network's broadcast address (i.e., X.X.X.255) of a router configured to relay ICMP to all devices behind the router. The attacker spoofs the source of the ICMP request to be the IP address of the intended victim. Since ICMP does not include a handshake, the destination has no way of verifying if the source IP is legitimate. The router receives the request and passes it on to all the devices that sit behind it. All those devices then respond back to the ping. The attacker is able to amplify the attack by a multiple of how ever many devices are behind the router (i.e., if you have 5 devices behind the router then the attacker is able to amplify the attack 5x, see the diagram below).

Portmapper:

Port map is a server that converts RPC program numbers into DARPA protocol port numbers. It must be running in order to make RPC calls.

RPC Port mapper, also referred to as rpcbind and port map, is an Open Network Computing Remote Procedure Call (ONC RPC) service designed to map RPC service numbers to network port numbers. When RPC clients want to make a call to the Internet, Port mapper tells them which TCP or UDP port to use. (Port 111/UDP)

Normally port map forks and dissociates itself from the terminal like any other daemon. Port map then logs errors using syslog(3).

RPC – Remote procedure call

DARPA - Defense Advanced Research Projects Agency (USA)

Ports may be left unconnected using the keyword open.

Improperly configured services such as DNS or Network Time Protocol (NTP) have been exploited to launch a string of DDoS attacks over the last couple of years, the most high-profile of which battered Spamhaus and buffeted internet exchanges back in March 2013. Over recent weeks, another service – Port map – has become a vector of DDos attacks, US-based carrier Level 3 warned.

Disabling or blocking internet-facing RPCbind/Port map services is a trivial task on any single system, but it is unlikely to occur anytime soon on the potentially millions of vulnerable systems accessible on the internet today

If port map crashes, all rpc servers must be restarted

Summary:

In the theory you can leave open your 53 and 111 ports, but keep in mind you are leaving a hole in your security systems, we strongly recommend to disable 53 and 111 ports for your own benefit.

Biggest DDOS Attacks:

1. Amazon Web Services (AWS) 2.3Tbps 2020

https://www.theverge.com/2020/6/18/21295337/amazon-aws-biggest-ddos-attack-ever-2-3-tbps-shield-github-netscout-arbor

2. Imperva 580million packets per second 2019

https://www.imperva.com/blog/this-ddos-attack-unleashed-the-most-packets-per-second-ever-heres-why-thats-important/

3. NETSCOUT 1.7Tbps 2018

https://www.netscout.com/blog/security-17tbps-ddos-attack-makes-history

4. THE Dyn DDOS 1.2 Tbps 2016

https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet

5. GitHub 1.3 Tbps 2015

https://www.cloudflare.com/learning/ddos/famous-ddos-attacks/

Did this answer your question?