We are in the process of migrating this forum. A new space will be available soon. We are sorry for the inconvenience.

URGENT AND IMPORTANT Resolving DNS and DNS AMP


macole111
03-06-2013, 21:35
I just found that removing hints didn't work. No problem anyway as setting DNS servers on various 'secure' machines means that they can only access my services etc.

Thanks for the heads up on the English version, I hadn't seen that. Just to clarify I wasn't saying that you couldn't run your own DNS servers (sorry if this was implied), I was just saying that it isn't OVH's problem if people can't configure their own properly. I am all for people trying out new severs/software, I mean, where did we all start?

-macole111

Trapper
03-06-2013, 21:14
WARNING:

I have NOT removed the root hints from two of my Windows 2008r2 boxes, but they still pass the OVH test. - As I mention above, I think the test has changed - maybe to take into account this Windows default.

I agree that Disabling Recursion should do it. If OVH would make it clear if offering Root Hints is wrong, then maybe we can do that as well.

@macole111
They have finally done English... Please re-read my post above, with the links to the English versions...

As far as running my own DNS Servers, I have been doing this for years: Before DNS-AMP was a twinkle in "Anon's" eye...

People should run their own (DNS Servers), when they reach a certain point of understanding. This normally happens when other poeple's services cannot give all that is needed. For me, that happened about 8 years ago. Now I run 10 Dedicated Servers, 8 here at OVH (see sig). 5/10 run DNS.

Trap

macole111
03-06-2013, 20:49
This might be of some help to others running Windows, as pointed out the OVH link was a bit generic. In theory just disabling recursion should do it, but I found that it didn't.

What I had to do was remove all forwarders and delete all the root hints from the server properties window (DNS manager MMC snapin->rightclick server name->properties, then go forwarders, click edit and remove them all and go ot root hints and click 'delete' until they all go). This would stop the server forwarding requests. I am not sure why we have to do all that but it fixes the issue on 2008 r2 and 2012.

To be honest if you don't know how to configure your DNS server properly then you shouldn't run your own, there are plenty of DNS hosting services out there that people can use.

To do some more detailed feedback I use http://www.kloth.net/services/dig.php with the server set to the op in question with trace set, if I try google.co.uk then if it shows a fill request I know it is still forwarding. It's a bit easier to understand than the French OVH thingy, why can't they translate it?

-macole111

Trapper
03-06-2013, 20:29
Kind-of add signature to previous post...

Trapper
03-06-2013, 20:05
@NatdaS / Octave

DNS:

Whilst I appreciate you bringing an important matter to our attention, I do wish you could execute this better.

After me moaning at you all weekend, and again today, the "test page" and "instructions page" for this is now available in English (not just French).

Test Page:
https://www.ovh.co.uk/cgi-bin/tools/dns_security.cgi

Instructions Page:
http://www.ovh.co.uk/g1082.secure-your-DNS

The instructions page is great if you run BIND (*nix). If you run Windows, then you're out-of-luck. There is a link to a Microsoft Page, but this is just about as generic, as this kind of thing can be. Good Luck if you are not a Server Guru, you're not gonna find step-by-step hand-holding like you do on the OVH page for the BIND-Boys.

Also, one of my server miraculously changed from "Fail" to "Pass" today, without any intervention. I suspect the "Test" changed, as it was probably BIND-only...!

VAC1:

I was not aware of the vacuum system at OVH until Friday, when my two of servers started acting strange.

Although "NatdaS / Octave" mention this above, it seems to be used for far more than just DNS-Attack-Mitigation.

(Some of) my Servers are apparently being specially protected. The problem with this is that "VAC" is also blocking completely legitimate POP and SMTP traffic as well.

Maybe someone can point me in the direction of some details for VAC, or even answer the out-standing support tickets...

Trap

LawsHosting
31-05-2013, 23:40
Ok, my bad - been a hectic week, lack of sleep.

Neil
31-05-2013, 19:01
Quote Originally Posted by LawsHosting
Shouldn't that be:

This enables us to locate and to inform the customer that they have caused a security incident, give them 24 hours to fix it, then close down a server very easily with evidence.

More friendly, and less chance of pissing clients off.

Just an idea!
I think best if you read the whole thing, these customers have been informed:

At the same time, we are sending emails out to emails customers so that the problem gets fixed within 24hrs. From tomorrow, we will begin to suspend servers on the grounds of security risks.

LawsHosting
31-05-2013, 18:28
This enables us to locate and close down a server very easily, with evidence, then to inform the customer that they have caused a security incident.
Shouldn't that be:

This enables us to locate and to inform the customer that they have caused a security incident, give them 24 hours to fix it, then close down a server very easily with evidence.

More friendly, and less chance of pissing clients off.

Just an idea!

UK1
30-05-2013, 21:18
My VPS is secure !!!!!!!!! (Although I haven't figured out how to login to it yet)

NatdaS
30-05-2013, 20:18
Dear Customer,

Out of almost 160,000 physical servers and more than 40,000 VMs managed on our network, some have incorrect DNS configurations, which allow hackers to use the DNS server to launch attacks (DDoS attacks, type DNS AMP) directed at their targets from our network.

When we detect this kind of attack, we quarantine any IPs that are under attack and we look at all the source IPs participating in the attacks. (In a few weeks the traffic will be purged in order to make it safe again). This enables us to locate and close down a server very easily, with evidence, then to inform the customer that they have caused a security incident.

For one week, we have been working on DNS amplification attacks generated by our customers due to incorrect BIND configuration. An email has already been sent out to the first 500 customers requested to correct this problem and we are preparing an email for the remaining 3000 customers.

At the same time, we are controlling the ongoing attacks, several per day, because the BIND is still not fixed, because the customer does not have time or thinks that it isn't serious.

Since 1pm, we have therefore quarantined the 3200 IPs participating in an attack. The quarantine goes through our VAC1 mitigation infrastructure in RBX and we filter all external DNS requests which aim to launch the attack. Other requests are not filtered and are allowed to pass.

At the same time, we are sending emails out to emails customers so that the problem gets fixed within 24hrs. From tomorrow, we will begin to suspend servers on the grounds of security risks.

Is my DNS server protected?
Test your IP here: http://ovh.to/6bc7evq

How to secure the DNS?
Follow instructions in the DNS configuration guide here: http://ovh.to/CTG8bvX

Can OVH perform this action?
Yes, this will cost 20 and a ticket must be opened here: http://ovh.to/jkTsuat

Regards,

Octave