Checking for DNS recursion with NSE

DNS recursion isn't typically an issue, but if you allow outside hosts to use your internal DNS servers for recursion, you are setting yourself up for potential attacks. DNS amplification attacks can be leveraged using these types of setup, where hackers will use these DNS servers to send spoofed requests to them, and they will respond back to the original host and, if there are a large number of these, a DDOS situation.

To check for DNS recursion, we can use Nmap with the NSE engine. The command is straightforward, as we will do a UDP scan on port 53 and turn on the recursive script with the command nmap -sU -p53 -script=dns-recursion HOST.

In this example, the DNS server is correctly set up as they do not allow DNS recursion:

root@pi-kali:~# nmap -sU -p53 --script=dns-recursion NS.XXX.NET
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-06 18:24 UTC
Nmap scan report for NS.XXX.NET (XXX.XXX.XXX.XXX)
Host is up (0.096s latency).
PORT STATE SERVICE
53/udpopen domain
Nmap done: 1 IP address (1 host up) scanned in 3.06 seconds

Next, this particular server allows recursion to happen and, hence, potentially participate in the DNS amplification attack:

root@pi-kali:~# nmap -sU -p53 --script=dns-recursion 1.xxx.xxx.xxx
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-06 18:24 UTC
Nmap scan report for 1.xxx.xxx.xxx
Host is up (0.27s latency).
PORT STATE SERVICE
53/udpopen domain
|_dns-recursion: Recursion appears to be enabled
Nmap done: 1 IP address (1 host up) scanned in 7.29 seconds