DNS server zone transfer and amplification attack

How to test if a DNS server allows zone transfer?

In Windows
nslookup
server TARGET_DNS_SERVER_IP
set type=any
ls -d TARGET_DOMAIN

In Linux
dig @TARGET_DNS_SERVER_IP -t AXFR TARGET_DOMAIN

Many DNS servers allow root(".") zone transfer, this can lead to an amplification attack, when an attacker sends many small(17 bytes) root zone transfer requests and server replies with much bigger reply(500 bytes). More over, the possibility to transfer the root zone will result in FAIL during PCI ASV scan. We can check if it is possible manually with the following commands:

Transfer root zone in Linux
dig @DNS_SERVER_IP axfr

Transfer root zone in Windows

nslookup

> server server_ip

> set q=soa

> .

How can we disable root zone transfer and avoid amplification attack?
In BIND it is required to add a string to options in named.conf file:
additional-from-cache no;

This will influence the cache, so be cautious.


Solution for Windows

Cisco ASA NAT in examples

Example 1
Forward port for a web server from the Internet to internal network using Auto NAT or as it called Network Object NAT

object web_server_in_dmz 

  host 192.168.1.2 
  nat (inside,outside) static 1.1.1.1 service tcp www 8080

Where:

• 192.168.1.2 - IP address of web server in internal network
• inside - name of the interface connected to the internal network
• outside - name of the interface connected to the external network
• static - type of NAT translation
• 1.1.1.1 - external Internet address
• www - real port on a web server
• 8080 - translated port which will be open on external address

The same goal can be accomplished using Manual NAT:

nat (outside, inside) source static any any destination static public_ip web service 8080 www

where:
outside - source interface, where original packet comes in
inside - destination interface, from where translated packet will come out
source - means we are starting configuration of source IP address translation
static - NAT will static, not dynamic
first any - source address of original packet
second any - source address of translated packet, thus source address will be not changed
destination - means we are starting configuration of destination IP address translation
static - destination NAT will be static, not dynamic
public_ip - network object which describes external Internet IP address
web - network object which describes internal IP address of web server
service - means we are starting specification which services will be translated
8080 - service object which describes port 8080 TCP, translated port which will be open on external address
www - service object which describes port 80 TCP, real port on a web server

However, it will not work if 1.1.1.1 - is the IP address of the outside interface. 1.1.1.1 maybe the secondary outside address, but not the primary one. By secondary I mean that it will appear only in NAT configuration, it will be enough for ASA start replying on this address. It is impossible to configure explicitly the secondary address on ASA.
So, how to configure port forwarding using the IP address of the outside interface? Here is the example:

nat (outside, inside) source static any any destination static interface web service 8080 www

The only thing changed here is public_ip > interface, which means as I comprehend, that identification by interface is used instead of IP.

Example 2
Configure PAT for internal network that users can access the Internet
Using Auto NAT

object network lan
  subnet 172.16.16.0 255.255.255.0
  nat (any,any) dynamic public_ip

where public_ip is a network object containing external IP address, but not the address of outside interface of course :)

Using Manual NAT with IP address of outside interface
object network lan
  subnet 172.16.16.0 255.255.255.0
nat (inside,outside) source dynamic lan interface

Example 3
NAT exemption
For instance you need to exclude the server from the PAT because this server needs to communicate with another server via IPSec VPN. To accomplish it we just need to create a NAT rule which changes nothing and set its order number to one
nat (any,any) 1 source static server1 server1 destination remote_server remote_server

Troubleshooting

Show all translations

Show xlate
show nat