Windows DNS servers & root hint amplification

1. A Windows DNS server will provide the full list of DNS root hints when queried for a domain that does not exist.
2. These full list of DNS root hints can be used as an amplification factor in carrying out DDoS attacks against other sites as we have seen with these particular hosts.
3.  
4. For example, a properly configured DNS server will return the following when queried for a non-existent domain:
5.  
6. ++++++++++++++++++++++++++++++++++++++++
7. # dig @xx.xx.xx.xx sshdfkjshdfkjhsdfjksdfkweuqweudskjsdkjweoifqoir.com
8.  
9. ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @xx.xx.xx.xx sshdfkjshdfkjhsdfjksdfkweuqweudskjsdkjweoifqoir.com
10. ; (1 server found)
11. ;; global options: +cmd
12. ;; Got answer:
13. ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 61907
14. ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
15. ;; WARNING: recursion requested but not available
16.  
17. ;; QUESTION SECTION:
18. ;sshdfkjshdfkjhsdfjksdfkweuqweudskjsdkjweoifqoir.com. IN A
19.  
20. ;; Query time: 17 msec
21. ;; SERVER: xx.xx.xx.xx#53(xx.xx.xx.xx)
22. ;; WHEN: Wed Aug 10 12:53:24 2016
23. ;; MSG SIZE rcvd: 69
24. +++++++++++++++++++++++++++++++++++++++++++++++++++++
25.  
26. Note the message size of the returned data was 69 bytes
27.  
28. Here is the output of a Windows DNS server that returns the DNS root hints:
29.  
30. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
31. dig @yy.yy.yy.yy sshdfkjshdfkjhsdfjksdfkweuqweudskjsdkjweoifqoir.com
32.  
33. ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @yy.yy.yy.yy sshdfkjshdfkjhsdfjksdfkweuqweudskjsdkjweoifqoir.com
34. ; (1 server found)
35. ;; global options: +cmd
36. ;; Got answer:
37. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9652
38. ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1
39. ;; WARNING: recursion requested but not available
40.  
41. ;; QUESTION SECTION:
42. ;sshdfkjshdfkjhsdfjksdfkweuqweudskjsdkjweoifqoir.com. IN A
43.  
44. ;; AUTHORITY SECTION:
45. . 3600 IN NS g.root-servers.net.
46. . 3600 IN NS h.root-servers.net.
47. . 3600 IN NS i.root-servers.net.
48. . 3600 IN NS j.root-servers.net.
49. . 3600 IN NS k.root-servers.net.
50. . 3600 IN NS l.root-servers.net.
51. . 3600 IN NS m.root-servers.net.
52. . 3600 IN NS a.root-servers.net.
53. . 3600 IN NS b.root-servers.net.
54. . 3600 IN NS c.root-servers.net.
55. . 3600 IN NS d.root-servers.net.
56. . 3600 IN NS e.root-servers.net.
57. . 3600 IN NS f.root-servers.net.
58.  
59. ;; ADDITIONAL SECTION:
60. g.root-servers.net. 3600 IN A 192.112.36.4
61.  
62. ;; Query time: 23 msec
63. ;; SERVER: yy.yy.yy.yy#53(yy.yy.yy.yy)
64. ;; WHEN: Wed Aug 10 13:01:22 2016
65. ;; MSG SIZE rcvd: 500
66.  
67. ++++++++++++++++++++++++++++++++++++++++++++++++++++++
68.  
69. Note the message size of the returned data was 500 bytes
70.  
71.  
72. For a properly configured Windows DNS server that does NOT provide open recursion, there is no reason to send back DNS root hints for a non-existent domain.
73. In order to configure a Windows DNS server to stop providing these root hints, please perform the following:
74.  
75. Rename the 'root hints cache file' to prevent reference to the root zones being used for DNS amplification attacks:
76. * Open the folder %systemroot%\system32\dns and rename cache.dns to cache.dns.orig
77. * Once these modifications are complete, you must restart the DNS service.
78.  
79. Reference: https://kb.iweb.com/entries/22545136-Guide-to-DNS-Open-Recursion-Amplification-Issues