Windows Server DNS Amplification attacks


I have a server that was reported as being vulnerable to DNS amplification attacks. The problem is, after blocking all incoming traffic to 53 via Windows Firewall, my server is apparently still happily responding to anonymous nslookups.

How could this be the case? What else should I be looking for? I run as a web server with multiple websites and applications running, but not a DNS server. But isn't blocking Port 53 all that would be necessary?


Bill HendersonWeb MarketingAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Can you run DNS test here post back results.
Bill HendersonWeb MarketingAuthor Commented:
HI - I'm not sure what to post back here. This appears to be a results summary:

External Ping: replied (It might be better for the server to be less visible.)
External Query: ignored (This means the nameserver is more spoof resistant.)
DNSSEC Security: absent (This nameserver might need to be updated.)
Alphabetic Case: all lower (An improvement could be created by mixing case.)
Extra Anti-Spoofing: unknown (Unable to obtain server fingerprint.)

What else are you looking for in the results?

What did you blocked by firewall? TCP traffic? The DNS uses UDP packets for request/respond messages.

Also, if you are blocking the DNS traffic, your clients won't be able to benefit from this service from your server

In the DNS settings you can specify the scope of DNS for which domains to respond and for which addresses should make forwarding requests
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Bill HendersonWeb MarketingAuthor Commented:

I blocked TCP and UDP port 53.

This is not a DNS server.

Frankly, if it causes a problem to have this port blocked, then I can deal with that, but right now, there is no evidence that my port blocking has accomplished anything.

Hence my posted original question. How on earth is my server still relaying DNS information?


Without a DNS server running, I don't see how it could relay information.

What is the tool you're running and what does it say?
Bill HendersonWeb MarketingAuthor Commented:
nslookup XX.XX.XX.XXX

returns non-authoritative IP address of the domain name.

My hosting provider thinks it could be Parallels which I don't use, but appears to be present from the imaging of this server.

I don't know how to determine what part of my system is returning these queries. I'm terrible in logs, but I don't see anything obvious when I look in services,
From Administrative Tools open the DNS. There is no dns server definited there? I cannot belive that ...

I'll bet that it is a server with the computer name and has the recursion enabled
Just to clarify are you talking about external traffic or client traffic?  (those who rely on the server)
If the question is for me , i am not talking about any traffic. I am talking about the fact that on your server there is a dns running service!
Bill HendersonWeb MarketingAuthor Commented:
I've attached a n image that I hope is showing two different things. The first is, if I go to Administrative Tools > ...

DNS? You will see there is no such option. If you mean Server Manager, I've shown my Firewall settings that should be blocking port 53.

Am I not really blocking port 53 despite the rules that state that I am?

Was there somewhere specific you meant me to go from Administrative Tools? I just went to my Server Configuration and unchecked Parallels from my startup group items (there is no way to uninstall that I can determine) and rebooted. We'll see how that goes, but I'm not seeing DNS popping up anywhere in these config screens.

Bill HendersonWeb MarketingAuthor Commented:
Whoops - here is the image
I see that you have blocked DNS requests for public network profile. Do you have a public network profile? I don't think so! You have a work or domain network profile. Am I correct?

And trust me: if there is no DNS service running, the Holy Spirit will not listens on the 53 port and forwards/ responds to theDNS request. :)

I don't know where DNS has dissapears from Admnistrative Tools, but check in services for DNS and tell me what you see, or post a picture

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
If you have a DNS software other than that which comes with Windows server, you might try using netstat or TCPView to see which process is listening on port 53.  That could help track it down.

matrix8086 makes a good point about making sure what network profile(s) is in use and make sure your firewall rule aligns with that (or make it active for all profiles).
also run from cmd netstat -a and tell me if the server listens on port 53
Bill HendersonWeb MarketingAuthor Commented:
Never thought it was angels, but didn't know about profiles in Windows Firewall.
So what have you done to fix your issue?

You pic shows all your dns settings are set to open.
Bill HendersonWeb MarketingAuthor Commented:
I changed the profile, as suggested in the two answers I credited. I simply locked down port 53 on every profile in Windows Firewall and finally got the DNS amplification vulnerability eliminated. Sorry if that wasn't clear. I was angry about the unnecessary Holy Ghost comment, but the expert helped me resolve the issue.
Sorry about my joke, but that was my mood at that moment :D. Glad to help!

Best regards!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.