Open DNS Server
Jeffrey Stevens
jeff1132 at charter.net
Fri Aug 11 03:39:53 UTC 2006
Had a customer report the failure below running http://www.dnsreport.com. I am
looking that this thinking the obvious answer to to turn off recursion on the
authoritative server, but that would mean the customers other lookups might
start failing. I am also thinking of recommending running one server as
authoritative only and another as a caching server...but have I missed anything?
FAIL - Open DNS servers - ERROR: One or more of your nameservers
reports that it is an open DNS server. This
usually means that anyone in the world can
query it for domains it is not authoritative
for (it is possible that the DNS server
advertises that it does recursive lookups
when it does not, but that shouldn't
happen). This can cause an
excessive load on your DNS server. Also, it
is strongly discouraged to
have a DNS server be both authoritative for
your domain and be recursive
(even if it is not open), due to the
potential for cache poisoning (with
no recursion, there is no cache, and it is
impossible to poison it).
Also, the bad guys could use your DNS server
as part of an attack, by forging their IP
address. Problem record(s) are:
Server 200.184.26.4 reports that it will do
recursive lookups. [test]
Server 200.184.103.230 reports that it will
do recursive lookups. [test]
--
Jeffrey Stevens
gpg --keyserver pgp.mit.edu --recv-keys D2E5A4E8
Key fingerprint: 1C86 8717 E485 FA4D B9EF 96E2 A1AC 4B00 D2E5 A4E8
More information about the bind-users
mailing list