[Pdns-users] Workaround for PowerDNS Security Advisory 2014-02

sthaug at nethelp.no sthaug at nethelp.no
Wed Dec 10 10:18:28 UTC 2014 

> From PowerDNS users we have heard of problems caused by various domain names
> related to PowerDNS Security Advisory 2014-02 (CVE-2014-8601),
> http://doc.powerdns.com/md/security/powerdns-advisory-2014-02/
> 
> If you are not yet in a position to upgrade to 3.6.2, or even if you have
> upgraded and traffic for these domains is causing CPU spikes anyhow, we
> recommend the following configuration line as a workaround:
> 
> auth-zones=ezdns.es=nullzone,ezdns.gs=nullzone,ezdns.it=nullzone,ezdns.la=nullzone,ezdns.me=nullzone,ezdns.ms=nullzone,ezdns.pl=nullzone,ezdns.pm=nullzone,ezdns.re=nullzone,ezdns.so=nullzone,ezdns.sx=nullzone,ezdns.tf=nullzone,ezdns.wf=nullzone,ezdns.yt=nullzone
> 
> And this file 'nullzone':
> @		3600	IN	SOA	ns hostmaster 2013041204 9000 450 604800 450
> @		3600	IN	NS	ns1
> ns1		3600	IN	A	127.0.0.1
> 
> You might need to add a path to nullzone for this to work reliably.

auth-zones is good. Even better would be 'auth-zones-from-file' with
one domain name per line.

It would also be good to have some more discussion of the best way to
battle the latest round of <random>.domain lookups from compromised
clients.  We're currently seeing a significant number of A lookups for

Gpd9LVuC.arkhamnetwork.org.
KGm3G79l.arkhamnetwork.org.
L4pEXeQO.arkhamnetwork.org.
xwpJ2qas.arkhamnetwork.org.
4P9ySJ1W.arkhamnetwork.org.
...

i.e. <random>.arkhamnetwork.org - and we assume the goal is a DDoS of
the name servers for arkhamnetwork.org. In other cases the goal is to
trigger a large reply, and flood the (spoofed) original source of the
queries via reflection.

So what is best here?

- Return NXDOMAIN for these queries?
- Return for instance 127.0.0.1 for these queries?

A quick dig check shows that the NXDOMAIN reply is actually larger
than the 127.0.0.1 reply. If these replies are eventually returned to
a (spoofed) victim it might matter (this is typically the case for
open DNS proxies). If we answer these from auth-zones configured into
the recursor, the traffic to the real authoritative name servers for
the domain is obviously irrelevant.

Steinar Haug, AS 2116

More information about the Pdns-users mailing list