Herkese açık DNS sunucular(public dns) kendisine gelen tüm istekleri cevaplamaya çalışan türde bir dns sunucu tipidir. Bu tip dns sunucular eğer gerçekten amacı genele hizmet vermek değilse genellikle eksik/yanlış yapılandırmanın sonucu ortaya çıkar.
Bir sunucunun genele açık hizmet(recursive DNS çözücü) verip vermediğini anlamanın en kolay yolu o DNS sunucusu üzerinden google.com, yahoo.com gibi o DNS sunucuda tutulmayan alan adlarını sorgulamaktır.
Eğer hedef DNS sunucu genele açık bir DNS sunucu olarak yapılandırıldıysa aşağıdakine benzer çıktı verecektir.
~# dig www.google.com @91.93.119.70
; <<>> DiG 9.5.0-P2.1 <<>> www.google.com @91.93.119.70
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26294
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:
;www.google.com. IN A;; ANSWER SECTION:
www.google.com. 44481 IN CNAME www.l.google.com.
www.l.google.com. 118 IN A 66.102.13.147
www.l.google.com. 118 IN A 66.102.13.99
www.l.google.com. 118 IN A 66.102.13.105
www.l.google.com. 118 IN A 66.102.13.103
www.l.google.com. 118 IN A 66.102.13.104
www.l.google.com. 118 IN A 66.102.13.106;; Query time: 16 msec
;; SERVER: 91.93.119.70#53(91.93.119.70)
;; WHEN: Sat Jul 24 13:23:59 2010
;; MSG SIZE rcvd: 148
Eğer DNS sunucu genele açık hizmet verecek şekilde yapılandırılmadıysa aşağıdakine benzer çıktı verecektir.
[root@seclabs ~]# dig @ns1.gezginler.net www.google.com
; <<>> DiG 9.6.1-P1 <<>> @ns1.gezginler.net www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33451
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.google.com. IN A
;; AUTHORITY SECTION:
. 518400 IN NS H.ROOT-SERVERS.NET.
. 518400 IN NS I.ROOT-SERVERS.NET.
. 518400 IN NS J.ROOT-SERVERS.NET.
. 518400 IN NS K.ROOT-SERVERS.NET.
. 518400 IN NS L.ROOT-SERVERS.NET.
. 518400 IN NS M.ROOT-SERVERS.NET.
. 518400 IN NS A.ROOT-SERVERS.NET.
. 518400 IN NS B.ROOT-SERVERS.NET.
. 518400 IN NS C.ROOT-SERVERS.NET.
. 518400 IN NS D.ROOT-SERVERS.NET.
. 518400 IN NS E.ROOT-SERVERS.NET.
. 518400 IN NS F.ROOT-SERVERS.NET.
. 518400 IN NS G.ROOT-SERVERS.NET.
;; Query time: 140 msec
;; SERVER: 208.43.98.30#53(208.43.98.30)
;; WHEN: Sat Aug 7 16:18:15 2010
;; MSG SIZE rcvd: 243
Bir IP aralığındaki tüm public DNS sunucuları bulmak için Nmap (Nmap Scripting Engine) kullanılabilir.
root@seclabs:~# nmap -PN -n -sU -p 53 –script=dns-recursion.nse 91.93.119.65/28
Starting Nmap 5.00 ( ) at 2010-07-24 13:19 EDT
Interesting ports on 91.93.119.64:
PORT STATE SERVICE
53/udp open|filtered domainInteresting ports on 91.93.119.65:
PORT STATE SERVICE
53/udp open|filtered domainInteresting ports on 91.93.119.66:
PORT STATE SERVICE
53/udp open|filtered domainInteresting ports on 91.93.119.67:
PORT STATE SERVICE
53/udp open|filtered domain
|_ dns-recursion: Recursion appears to be enabledInteresting ports on 91.93.119.68:
PORT STATE SERVICE
53/udp open|filtered domainInteresting ports on 91.93.119.69:
PORT STATE SERVICE
53/udp open|filtered domain
|_ dns-recursion: Recursion appears to be enabledInteresting ports on 91.93.119.70:
PORT STATE SERVICE
53/udp open|filtered domain
|_ dns-recursion: Recursion appears to be enabledInteresting ports on 91.93.119.71:
PORT STATE SERVICE
53/udp open|filtered domain
|_ dns-recursion: Recursion appears to be enabledInteresting ports on 91.93.119.72:
PORT STATE SERVICE
53/udp open|filtered domain
|_ dns-recursion: Recursion appears to be enabledInteresting ports on 91.93.119.73:
PORT STATE SERVICE
53/udp open|filtered domain
|_ dns-recursion: Recursion appears to be enabledInteresting ports on 91.93.119.74:
PORT STATE SERVICE
53/udp open|filtered domain
|_ dns-recursion: Recursion appears to be enabledInteresting ports on 91.93.119.75:
PORT STATE SERVICE
53/udp open|filtered domain
|_ dns-recursion: Recursion appears to be enabledInteresting ports on 91.93.119.76:
PORT STATE SERVICE
53/udp open|filtered domain
|_ dns-recursion: Recursion appears to be enabledInteresting ports on 91.93.119.77:
PORT STATE SERVICE
53/udp open|filtered domainInteresting ports on 91.93.119.78:
PORT STATE SERVICE
53/udp open|filtered domain
|_ dns-recursion: Recursion appears to be enabledInteresting ports on 91.93.119.79:
PORT STATE SERVICE
53/udp open|filtered domainNmap done: 16 IP addresses (16 hosts up) scanned in 34.65 seconds
Public DNS sunucular neden güvenlik açısından risklidir?
DNS sunucu olarak ISC BIND kullanıyorsanız aşağıdaki tanımla recursive dns sorgularına yanıt vermeyi engelleyebilirsiniz.