DNS Server Spoofed Request Amplification DDoS

Hi,

I use Cloudflare as a DNS for my site.
I got Vulnerabilities report by my site and have one high level issue named “DNS Server Spoofed Request Amplification DDoS”.
Short description is:
The remote DNS server answers to any request. It is possible to query the name servers (NS) of the root zone (‘.’) and get an answer that is bigger than the original request. By spoofing the source IP address, a remote attacker can leverage this ‘amplification’ to launch a denial of service attack against a third-party host using the remote DNS server

Solution (recomended)
Restrict access to your DNS server from public network or reconfigure it to reject such queries.

What can I do to resolve this issue in Cloudflare?

That response is a false positive if you are using Cloudflare nameservers for your zone. Either the tool is testing with a sample zone hosted by Cloudflare or it’s broken.


; <<>> DiG 9.10.6 <<>> example.com @dane.ns.cloudflare.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 19174
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
1 Like

Hello,

Thanks for answer. I use Free plan Cloudflare. Maybe this plan there is insufficient built-in protection against DDOS attacks and false positive processing is not supported?

If an amplification attack was possible using Cloudflare nameservers, someone would do it because the scale of it would be huge.

What is your domain and what tool are you using to check it?

False positive means the tool is wrong. Cloudflare nameservers are not vulnerable to the problem reported.

Plan type has nothing to do with it. Your domain isn’t being tested, the nameservers hosting your domain are being tested.

1 Like

Hello,

My domen is mtsbu.ua.
Report (test) generated by Tenable Nessus (I don’t know what tool they use).

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.

Whoever has configured Nessus to run the test either configured it incorrectly or misinterpreted the results. The recursion requested but not available response in each query demonstrates the nameservers are not subject to the vulnerability claimed.

chuck.ns.cloudflare.com.
teagan.ns.cloudflare.com.
dig google.com @chuck.ns.cloudflare.com

; <<>> DiG 9.10.6 <<>> google.com @chuck.ns.cloudflare.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 45521
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
dig google.com @teagan.ns.cloudflare.com

; <<>> DiG 9.10.6 <<>> google.com @teagan.ns.cloudflare.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 40472
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available```

If this is instead a warning about a DNS server you control and not the DNS servers for your zone, it should be remediated by whoever manages that server.

1 Like