Herkese açık DNS sunucular(public dns) kendisine gelen tüm istekleri cevaplamaya çalışan türde bir dns sunucu tipidir. Bu tip dns sunucular eğer gerçekten amacı genele hizmet vermek değilse genellikle eksik/yanlış yapılandırmanın sonucu ortaya çıkar.
Bir sunucunun genele açık hizmet(recursive DNS çözücü) verip vermediğini anlamanın en kolay yolu o DNS sunucusu üzerinden google.com, yahoo.com gibi o DNS sunucuda tutulmayan alan adlarını sorgulamaktır.
Eğer hedef DNS sunucu genele açık bir DNS sunucu olarak yapılandırıldıysa aşağıdakine benzer çıktı verecektir.
~# dig www.google.com @91.93.119.70
; <<>> DiG 9.5.0-P2.1 <<>> www.google.com @91.93.119.70
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26294
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:
;www.google.com. IN A;; ANSWER SECTION:
www.google.com. 44481 IN CNAME www.l.google.com.
www.l.google.com. 118 IN A 66.102.13.147
www.l.google.com. 118 IN A 66.102.13.99
www.l.google.com. 118 IN A 66.102.13.105
www.l.google.com. 118 IN A 66.102.13.103
www.l.google.com. 118 IN A 66.102.13.104
www.l.google.com. 118 IN A 66.102.13.106;; Query time: 16 msec
;; SERVER: 91.93.119.70#53(91.93.119.70)
;; WHEN: Sat Jul 24 13:23:59 2010
;; MSG SIZE rcvd: 148
Eğer DNS sunucu genele açık hizmet verecek şekilde yapılandırılmadıysa aşağıdakine benzer çıktı verecektir.
[root@seclabs ~]# dig @ns1.gezginler.net www.google.com
; <<>> DiG 9.6.1-P1 <<>> @ns1.gezginler.net www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33451
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:;www.google.com. IN A
;; AUTHORITY SECTION:
. 518400 IN NS H.ROOT-SERVERS.NET.
. 518400 IN NS I.ROOT-SERVERS.NET.
. 518400 IN NS J.ROOT-SERVERS.NET.
. 518400 IN NS K.ROOT-SERVERS.NET.
. 518400 IN NS L.ROOT-SERVERS.NET.
. 518400 IN NS M.ROOT-SERVERS.NET.
. 518400 IN NS A.ROOT-SERVERS.NET.
. 518400 IN NS B.ROOT-SERVERS.NET.
. 518400 IN NS C.ROOT-SERVERS.NET.
. 518400 IN NS D.ROOT-SERVERS.NET.
. 518400 IN NS E.ROOT-SERVERS.NET.
. 518400 IN NS F.ROOT-SERVERS.NET.
. 518400 IN NS G.ROOT-SERVERS.NET.;; Query time: 140 msec
;; SERVER: 208.43.98.30#53(208.43.98.30)
;; WHEN: Sat Aug 7 16:18:15 2010
;; MSG SIZE rcvd: 243
Bir IP aralığındaki tüm public DNS sunucuları bulmak için Nmap (Nmap Scripting Engine) kullanılabilir.
root@seclabs:~# nmap -PN -n -sU -p 53 –script=dns-recursion.nse 91.93.119.65/28
Starting Nmap 5.00 ( ) at 2010-07-24 13:19 EDT
Interesting ports on 91.93.119.64:
PORT STATE SERVICE
53/udp open|filtered domainInteresting ports on 91.93.119.65:
PORT STATE SERVICE
53/udp open|filtered domainInteresting ports on 91.93.119.66:
PORT STATE SERVICE
53/udp open|filtered domainInteresting ports on 91.93.119.67:
PORT STATE SERVICE
53/udp open|filtered domain
|_ dns-recursion: Recursion appears to be enabledInteresting ports on 91.93.119.68:
PORT STATE SERVICE
53/udp open|filtered domainInteresting ports on 91.93.119.69:
PORT STATE SERVICE
53/udp open|filtered domain
|_ dns-recursion: Recursion appears to be enabledInteresting ports on 91.93.119.70:
PORT STATE SERVICE
53/udp open|filtered domain
|_ dns-recursion: Recursion appears to be enabledInteresting ports on 91.93.119.71:
PORT STATE SERVICE
53/udp open|filtered domain
|_ dns-recursion: Recursion appears to be enabledInteresting ports on 91.93.119.72:
PORT STATE SERVICE
53/udp open|filtered domain
|_ dns-recursion: Recursion appears to be enabledInteresting ports on 91.93.119.73:
PORT STATE SERVICE
53/udp open|filtered domain
|_ dns-recursion: Recursion appears to be enabledInteresting ports on 91.93.119.74:
PORT STATE SERVICE
53/udp open|filtered domain
|_ dns-recursion: Recursion appears to be enabledInteresting ports on 91.93.119.75:
PORT STATE SERVICE
53/udp open|filtered domain
|_ dns-recursion: Recursion appears to be enabledInteresting ports on 91.93.119.76:
PORT STATE SERVICE
53/udp open|filtered domain
|_ dns-recursion: Recursion appears to be enabledInteresting ports on 91.93.119.77:
PORT STATE SERVICE
53/udp open|filtered domainInteresting ports on 91.93.119.78:
PORT STATE SERVICE
53/udp open|filtered domain
|_ dns-recursion: Recursion appears to be enabledInteresting ports on 91.93.119.79:
PORT STATE SERVICE
53/udp open|filtered domainNmap done: 16 IP addresses (16 hosts up) scanned in 34.65 seconds
Public DNS sunucular neden güvenlik açısından risklidir?
Public dns sunucuların özellikle DNS flood saldırılarına karşı sıkıntılıdırlar. Saldırgan public dns sunucuları kullanarak amplification dns flood saldırılarında size ait dns sunuculardan ciddi oranlarda trafik oluşturarak istediği bir sistemi zor durumda bırakabilir.
DNS sunucu olarak ISC BIND kullanıyorsanız aşağıdaki tanımla recursive dns sorgularına yanıt vermeyi engelleyebilirsiniz.
options { allow-recursion { 127.0.0.1; };