Page tree
Skip to end of metadata
Go to start of metadata

Eucalyptus Can Act as an Open DNS Resolver



Eucalyptus Can Act as an Open DNS Resolver

Severity LevelMODERATE
Issue Date2014-02-24
Last Updated2014-03-11
Affected ProductsEucalyptus 3.3.0 to Eucalyptus 3.4.1
CVE NumberCVE-2013-4769




A security issue has been identified in the recursive DNS resolver implemented in Eucalyptus that affects publicly accessible Eucalyptus installations. An update is now available in 3.4.2 that resolves this issue. We advise updating all affected Eucalyptus installations as soon as possible.


Eucalyptus implements a DNS service on the cloud controller (CLC) component to facilitate internal DNS lookups. An issue has been identified in the implementation of the recursive DNS resolver that could be exploited by external clients to participate in DNS amplification attacks, a type of distributed denial of service attack. This could also lead to denial of service to authorized clients. The issue affects all Eucalyptus installations where the CLC is publicly accessible and recursive DNS is enabled (see the dns.recursive.enabled property).


Restricting network access to Eucalyptus DNS ports to internal clients only (if possible) resolves the issue. Please refer the Administration Guide at for Eucalyptus open ports and connectivity rules.

In cases when it's not possible to limit network access to the DNS server to a set of trusted clients, a partial solution is to employ a blacklisting of known DNS offenders (e.g., from and to limit the rate of DNS requests to the CLC using a firewall. For example, the following rules limit DNS request rate using iptables:

# iptables -A INPUT -p udp -m udp --dport 53 -m recent --set --name DDOS --rsource 
# iptables -A INPUT -p udp -m udp --dport 53 -m recent --update --seconds 10 --hitcount 20 --name DDOS --rsource -j DROP


Eucalyptus 3.4.2 resolves the issue.

Please see for instructions on downloading and upgrading to the latest Eucalyptus software.

Contact and help

Contact the Eucalyptus security team at