Possible Abuse due to Misconfigured DNS Servers

Priority: 2
Severity: 2

US-CERT CIIN-09-023-01 (U//FOUO) describes a DNS amplification attack
due to misconfigured DNS Servers. Several attacks have been
orchestrated over the past weeks bringing this issue to light.

A DNS server that is vulnerable to this attack will respond to a root NS
query (".") by returning the list of root servers.

This vulnerable DNS server could then be used in a denial of service
attack against another entity.

US-CERT recommends:

1) disabling recursion
2) determining if "additional-from-cache no;" can be safely implemented

It has been determined that our external xauth1.ias.edu,
ns1-auth.sprintlink.net and ns3-auth.sprintlink.net are vulnerable to
assisting in this type of attack (ns2-auth is not responding at this time).

http://isc.sans.org/diary.html?storyid=5713
http://technet.microsoft.com/en-us/library/cc772661.aspx

More tips on setting up secure DNS can be found here:

http://www.cymru.com/Documents/secure-bind-template.html
http://csrc.nist.gov/publications/nistpubs/800-81/SP800-81.pdf

For more specifics about CIIN-09-023-01, please contact Brian Epstein
.