Pacific Internet - Ukiah, California

DNS Recursion

Very Important First Step

Older firmware versions of the router fail to correct the issue properly. You must update the firmware to the most recently released version.

The Domain Name System and Denial-of-service attacks

The Domain Name System (DNS) allows for the resolution of domain names (like "www.pacific.net") to IP addresses (like 10.0.0.1), much like a phone book resolves a person's name to a phone number. Normally, one makes a request to a name server for the IP address (or other relevant record) of a particular host or domain name. The response from the name server is returned to the IP address of the requester. There is a denial-of-service (DoS) attack which exploits the name server's willingness to respond to any request. If a request is sent from a spoofed IP address, the name server will unwittingly send the response to the faked address, resulting in unrequested network traffic for the user at the faked address. If enough false traffic is generated, it can overwhelm the unsuspecting user and impair their ability to function on a network such as the Internet. If the victim is an Internet service provider (ISP) such as Pacific.net or Sonic.net, this crippling of network functionality can impair their users' ability to access their services and possibly the Internet as well.

Open Recursive DNS - A Problem

Any device that responds to requests on the Internet can potentially be exploited in a denial-of-service attack, including personal routers at a home or business since they are often designed to pass along DNS requests and return the responses. This ability to play the middle-man is what gives recursive DNS its name. Recursive DNS can also increase the size of the response, which further impairs the effected network. A name server (or any device which recursively handles DNS requests) is considered "open" when it happily or begrudgingly accepts, forwards, and returns requests from any source. This means computers from all over the world can spoof the IP addresses of businesses like Pacific Internet or Sonic and with enough requests, generate enough traffic to cripple their networks.

Securing Your Devices - A Solution

To test whether a device at your location is participating in this activity, click the following link:

https://corp.sonic.net/scripts/servicetest
Unfortunately, many consumer routers do not protect against this problem by default, although many, if not most, have some sort of setting to prevent it. If you have obtained a ZyXEL P660HN-51 modem/router (black case, roughly the size of a hardcover book), you will need to check and possibly correct some settings. The following instructions will guide you through that task. If you are unable to follow them, give us a call or come by and we will be more than happy to assist you. If you have different equipment and still fail the above test, please try to correct the issue by referring to your device's documentation. If you are still unable to correct the problem, feel free to contact us for assistance.

How to prevent DNS Recursion for the ZyXEL P660HN-51 in four easy steps.

The following will instruct you how to prevent the ZyXEL router from responding to these fake requests. It is very important that once you have completed these steps, you run the DNS Recursion Test and ensure all exploitable issues are resolved. To rerun the test, you'll need to close the window/tab that it's in and re-visit the link.

Step 1

  • Begin by logging into the ZyXEL router. To do this, you'll need a computer that is connected to the ZyXEL, via either Ethernet or Wifi.
  • Open a web browser on your computer and go to the address: http://192.168.1.1/
  • You'll be prompted for a username and password. The default username is admin and the default password is 1234.

Step 2

  • Once logged in, you'll click on Security Settings at the bottom of the window, then select Firewall.
  • After selecting Firewall, click on the Access Control tab near the top.
  • The picture below is the screen you should now be at. On this page, click into the circles to move the black dot to Enable for both DoS Protection and Deny Ping Response.
  • When finished, click Apply in the lower right. The page will reload and all settings should be in effect.

Step 3

  • Next, click on Network Settings and select Home Networking.
  • After selecting Home Networking, click on the UPnP tab near the top.
  • The picture below is the screen you should now be at. On this page, click into the circle to move the black dot to Disable for the State.
  • When finished, click Apply in the lower right. The page will reload and all settings should be in effect.

If you have any trouble or need assistance, please give support a call at 707.463.8214