Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to disable DNS Recursion on a Cisco router using Cisco's IOS commands?

Posted on 2015-01-15
13
Medium Priority
?
690 Views
Last Modified: 2015-01-22
Hello Experts,

We just received an E-mail from our ISP (Integra) asking us to disable DNS recursion on our Cisco 2901 router. When we test it at openresolver.com, it shows that it is open and that it is vulnerable to DNS Amplification attacks.

How can we disable DNS Recursion on our Cisco router using Cisco's IOS commands? Please provide the commands to add to our configuration file. The current configuration file has been attached here for your examination. Please take a look at the attached .txt file.RunningConfig.txt
0
Comment
Question by:CompuHero
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
13 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 40552780
Are you sure you router is acting as a DNS server?  What version of IOS are you running?

I see you have "ip dns server", but normally you also need :

ip domain-lookup
ip name-server x.x.x.x
ip name-server y.y.y.y

Where x.x.x.x and y.y.y.y are IP addresses of name servers that the router will forward requests to if the router does not know the hostname/address or is not authoritative for the domain being looked up.
0
 
LVL 1

Author Comment

by:CompuHero
ID: 40553999
giltjr,

We don't have any device in the office acting as a DNS server. This is a very simple setup. If I replace the router with a cheap router, the DNS recursion problem goes away. When I place the Cisco router back in the network, the problem comes back. My own research indicates that this annoyance might be mitigated by the use of an ACL, but I need help creating the correct commands. What do you think?

We are running IOS version 15 as shown in the attachment.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40554043
The router is NOT setup to do DNS serving.  The router may be passing  DNS traffic through it, but it is not doing DNS serving.

I am assuming all of your PC are getting address via DHCP in the 192.168.10.0/24 range and the DHCP config says you are using  204.130.255.3 and 209.63.0.6  as your DNS servers.
0
What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.

 
LVL 1

Author Comment

by:CompuHero
ID: 40554069
giltjr,

I understand, and I am puzzled with this problem. But without a shadow of a doubt the problem is with the router.  If I replace the Cisco router with a D-Link router, the DNS recursion problem goes away. When I place the Cisco router back in the network, the problem comes back.

You are correct; our computers are getting their IP addresses via DHCP in the 192.168.10.0/24 range. And the devices are getting the ISP DNS. They are using 204.130.255.3 and 209.63.0.6  as the DNS servers.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40554144
When you put the D-Link router in place, do you still use 204.130.255.3 and 209.63.0.6 as DNS servers?

Typically with D-Link routers they default the DHCP setting to use themselves as the DNS server and then then forward requests to your upstream ISP.

However, I'm confused.  DNS recursion is when a DNS server does a lookup on behalf of "client's" request.  Since you have no DNS servers, all your clients are doing the look-ups directly.
0
 
LVL 1

Author Comment

by:CompuHero
ID: 40554174
giltjr,

Yes, when I connect the D-Link router, I manually configure the same DNS servers 204.130.255.3 and 209.63.0.6.

The ISP mentioned that we should prevent spoofing by disabling DNS recursion on our router. The router is the only device using that public IP address (the real IP address has been changed for security reasons). I found some information here about using access control lists to protect against spoofing. You will find it close to the middle of the page. I don't know much about this type of problems, but I know that the issue is with the router.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40554224
The only way your router may be doing recursion is if you have something configured with a static IP address and is configured to use 192.168.10.1 as its DNS server.

Try issing the command:

no ip dns server

The only thing that would affect is anything that is configured to use 192.168.10.1 as its DNS server.
0
 
LVL 1

Author Comment

by:CompuHero
ID: 40554315
giltjr,

I have already tried the following command:
no ip dns server

Open in new window

It didn't help at the time.

But here are more details. The only devices that connect to this router are the following:

One switch (it might be pointing to 192.168.10.1 as its DNS server.
One PBXtra (Fonality) VoIP server definitely pointing to 192.168.10.1 as DNS server and default gateway.
25 local VoIP phones pointing to VoIP server 192.168.10.4 as DNS server.
2 remote Voip phones pointing to public static IP address to connect to VoIP server.
Are you saying that nothing should be using 192.168.10.1 as its DNS server? Please confirm and I will test it.

Thank you.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40554757
That is correct, nothing should be pointing to 192.168.10.1 as a DNS server.  Normally all internal hosts would be pointing to a internal DNS server.   This should be resolving all host names on your internal domain and then forwarding requests for all non-internal domains to your ISP's DNS servers.


I'm actually really confused because there are no definition in 192.168.10.1 that would allow it to look up names.

From a computer within your network can you enter these commands (before you may any further changes) and let me know what happens:

nslookup
lserver 192.168.10.1
www.google.com
lserver 192.168.10.4
www.apple.com
0
 
LVL 1

Author Comment

by:CompuHero
ID: 40554796
giltjr,

First of all, thank you for your continued help on this issue. If it wasn't for you, there would be no other comments on this post. I haven't done any changes yet. Here are the results for the commands you suggested.

nslookup
Default Server:  dnscache-or.integraonline.com
Address:  204.130.255.3

> lserver 192.168.10.1
Default Server:  [192.168.10.1]
Address:  192.168.10.1

> www.google.com
Server:  [192.168.10.1]
Address:  192.168.10.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to [192.168.10.1] timed-out
> lserver 192.168.10.4
Default Server:  [192.168.10.4]
Address:  192.168.10.4

> www.apple.com
Server:  [192.168.10.4]
Address:  192.168.10.4

Non-authoritative answer:
Name:    e3191.dscc.akamaiedge.net
Address:  23.208.239.161
Aliases:  www.apple.com, www.isg-apple.com.akadns.net
          www.apple.com.edgekey.net

Open in new window

0
 
LVL 57

Accepted Solution

by:
giltjr earned 2000 total points
ID: 40555087
O.K., as you can see when you asked 192.168.10.1 to do a name look-up for you, it did not work.  Which implies that it can't/won't do DNS lookup  functions.

When you used 192.168.10.4  it worked so it is a DNS server.  My guess is that server is doing recursion.  Looking at your config 192.168.10.4 is NAT'ed to 70.89.11.234 which is the same IP address that your outside interface has, which means anything it does, will look like it is your router.

I'm not sure how you had the D-Link configured, but my guess is that it was not configured to fully replicate the Cisco, that you just did enough to do some testing.

Now, I'm still not sure why they don't want you do do recursion.  Unless I am missing something, if you ask 192.168.10.4 to lookup a name and it doesn't know it, without recursion it will just fail.  With recursion, it will ask another DNS server.

Anyway, I think you need to look at the DNS server config on 192.168.10.4.  See if it is configured with forwarders or root hints.  What OS is this box running?
0
 
LVL 1

Author Comment

by:CompuHero
ID: 40564490
giltjr,

The problem was solved thanks to your help. I solved this problem 4 days ago. I just removed this line from the router's  configuration file:
ip nat inside source static 192.168.10.4 70.89.11.234 route-map RTP extendable

Open in new window

Thanks a lot!
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40564982
O.K., what that did was setup a static NAT for your "10.4" server to 70.89.11.234.  So when you made a DNS request to "10.4" for a host in a domain "10.4" did not know about, it would do a recursive look up to whatever DNS servers "10.4" was configured to use.

If you have things that used to work start failing, you could change "10.4" to use Google's DNS servers (8.8.8.8 and 8.8.4.4) or some other open/free DNS servers and then add the NAT back.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question