NSX DNS resolution lockdown

Been a bit since my last post but starting to catch up on things around here. Recently we got a notification from our security teams that one of our labs participated in a DNS DDOS attack on a third party. Upon investigation it appears that the Edge appliance that was being used for VPN access and DNS resolution was the source of the problem.

A bit baffled I checked into how this could be and discovered that the DNS resolvers of a standard edge are listening on ALL interfaces. Well considering that one of the interfaces has a public IP on that, that essentially means the Edge DNS server is resolving DNS requests to anyone on the internet.

If you pull up the config of an Edge using the API you get the following:

<dns>
<version>4</version>
<enabled>false</enabled>
<cacheSize>16</cacheSize>
<listeners>
<vnic>any</vnic>
</listeners>

Notice that the listeners are listening on ‘any’ interface, which leaves a lot to be desired. In order to fix this we need to specify what vmnic interfaces the DNS server will listen on. By editing the Rest API call and specifying the vmnic interfaces then we can limit what interfaces we’re listening on:

<dns>
<version>4</version>
<enabled>false</enabled>
<cacheSize>16</cacheSize>
<listeners>
<vnic>vnic0</vnic>
<vnic>vnic1</vnic>
</listeners>

Perform a put operation using the API at the https:///api/4.0/edges//dns/config location and you’ll reconfigure the DNS server.

Be warned however, that vCloud will not like this modification at all, doing this will in effect break your edge preventing you from making any further modifications.