OARtech DNS Recursion. April 9th, 2008. Purpose. What is Recursion. Why and what are we changing. What else. What is Recursion. A DNS server is Recursive if it can process request for domains it does not maintain.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
April 9th, 2008
What is Recursion
Why and what are we changing
A DNS server is Recursive if it can process request for domains it does not maintain.
A DNS server is an open recursive server if it allows anyone to query it and gives responses.
NS1.oar.net and ns2.oar.net are open recursive servers
cache poisoning – somehow incorrect information is injected into the cache of the DNS server, which then feeds this information out when queries for those records
Mr Malicious creates a zone (usually of large size)
He then creates a query crafted to look like it is form the attack target to open recursive servers
the open server will cache the zone information lower the cost associated on the attack side, allowing repeated crafted queries that can DOS the target
Ensure nameservers only answer queries from other nameservers
Turn off or restrict recursion
Restricting zone transfers
Creating Caching only servers for OSCnet community use (with anycast addressing)
Turning off Recursion on ns1 and ns2 to outside OSCnet
Turning off Recursion on ns1 and ns2 to everyone
May need to change troubleshooting paradigms
No effect within community
OSCnet nameservers will only answer for their own authoritative domains
Outside OSCnet space, nameservers will be of little use in resolving
If you use OSCnet servers for your home cable connection, they will stop working
Resolvers should be configured to new namerservers (likely ns3.oar.net)
all clients that use ns1.oar.net should be reconfigured
any nat/dhcp devices that give out namerservers should be reconfigured
Caching servers will be configured from the beginning only for the OSCnet community
Planned in connection with deployment, so no effect