DNS Amplification Denial of Service – GoDaddy DNS Servers Fail PCI Compliance
March 23rd, 2009 | Posted by in Tech/Web
In working with many online merchants that accept credit card payments online, it has come to my attention that GoDaddy DNS servers are not PCI compliant, and they also fail PCI compliance tests on several different levels. The GoDaddy DNS servers failed the DNS Amplification Denial of Service test as conducted by TrustKeeper. I’ve included the specifics of the test results and failure message below.
DNS Amplification Denial of Service
The DNS server answers all queries, providing additional delegation information to arbitrary IP addresses. It is possible to send a query for the root zone (.) to the DNS server, and get an answer that is much larger than the query (often more than 20 times in size). An attacker could spoof the source IP address of the query, causing the DNS server to respond to the source IP with the larger answer. An attacker could focus these answers on a single target, resulting in a Denial of Service for that IP. Additionally, the amplification attack represents a risk to the DNS server in the form of Denial of Service. The server would have reduced ability to respond to legitimate DNS queries due to consumed system resources and and higher network traffic levels. Verification of this must be done from an host that is not on the network/intranet of the DNS server. Command to verify from a UNIX based system: ‘dig -t NS . @IP.OF.DNS.SERVER’ or ‘host -v -t NS . IP.OF.DNS.SERVER’. On Windows, run ‘nslookup -type=NS . IP.OF.DNS.SERVER’. If the response received includes answer and additional sections that lists a number of hosts (often on ‘root-servers.net’), then the system is vulnerable. The SANS Internet Storm Center has also provided an online tool to verify this issue (see the link to sans.org in the references).
Note: Vulnerabilities which result only in denial of service do not affect PCI compliance; however, they may still be critical to your systems.
Service: -
CVE: CVE-2006-0988, CVE-2006-0987
NVD: CVE-2006-0988, CVE-2006-0987
Reference: http://www.isotf.org/news/DNS-Amplification-Attacks.pdf
Reference: http://isc.sans.org/dnstest.html
Reference: http://isc.sans.org/diary.html?storyid=5713
Reference: http://www.nabble.com/ISC-BIND-Amplification-Attacktd21670165.html
Reference: http://zytrax.com/books/dns/ch7/
You can follow any responses to this entry through the RSS 2.0 You can leave a response, or trackback.
My understanding was that ASVs could not fail clients on DOS since technically you can’t test DOS. Your opinion?
I’m concerned as to why you are disclosing this as it seems questionable ethically. Have you reported this to Godaddy and given them time to try and fix this issue. If not, you are not practicing appropriate ethical disclosure.
Yes Lawrence, I’ve contacted GoDaddy and they have said that they have no plans to change the way their DNS servers currently work.
I have found AT&T Yahoo ISP’s DNS servers to be non-compliant, as well. And they too have refused to change their DNS servers for “just one customer”. Can you recommend an ISP provider with PCI Compliant DNS servers? Thanks.
Hi Teresa -
We just tried moving our domains to namecheap.com (they offer free DNS) and they were non-compliant as well, but they seem to be willing to work with us on getting the issue resolved. I’ll definitely keep you all posted.
The vulnerability scans for PCI Compliance were stating that my DNS server had a problem of allowing third-party recursive queries and thus they failed the scan. I have done more digging and discovered it was actually my DSL Modem/Router that was allowing third-party recursive look-ups and NOT AT&T’s DNS servers. I have resolved the problem with my router, passed the vulnerability scan and am now PCI Compliant. And I am still using AT&T’s DSL service with their DNS. So AT&T’s DNS is compliant.