Open DNS Server
Kevin Darcy
kcd at daimlerchrysler.com
Fri Aug 11 21:24:41 UTC 2006
Jeffrey Stevens wrote:
> Had a customer report the failure below running http://www.dnsreport.com. I am
> looking that this thinking the obvious answer to to turn off recursion on the
> authoritative server, but that would mean the customers other lookups might
> start failing. I am also thinking of recommending running one server as
> authoritative only and another as a caching server...but have I missed anything?
>
> FAIL - Open DNS servers - ERROR: One or more of your nameservers
> reports that it is an open DNS server. This
> usually means that anyone in the world can
> query it for domains it is not authoritative
> for (it is possible that the DNS server
> advertises that it does recursive lookups
> when it does not, but that shouldn't
> happen). This can cause an
> excessive load on your DNS server. Also, it
> is strongly discouraged to
> have a DNS server be both authoritative for
> your domain and be recursive
> (even if it is not open), due to the
> potential for cache poisoning (with
> no recursion, there is no cache, and it is
> impossible to poison it).
> Also, the bad guys could use your DNS server
> as part of an attack, by forging their IP
> address. Problem record(s) are:
> Server 200.184.26.4 reports that it will do
> recursive lookups. [test]
> Server 200.184.103.230 reports that it will
> do recursive lookups. [test]
>
If you want to save your client the expense of buying more servers, you
could set up their current nameservers to have one "view" for their
recursive clients, one for the rest of the world, and then turn off
recursion only for the external-facing view. The downside of this is
you/they have to come up with some maintainable way for their internal
clients to resolve names from the same zones that they host to the
Internet. This may boil down to having duplicate copies of those zones.
But, how to keep them in sync?
A more simplistic approach is to use allow-recursion to permit only
their own clients to recurse. The problem with that is that outsiders
can still see what's in the cache (it doesn't require any recursion to
return an answer from cache, so by default that's fair game), which
means they could conceivably divine what sites your customer's users are
visiting, and how frequently, which is arguably an information
disclosure which could have security implications. In BIND 9.4.0 (not
released yet), we'll have more fine-grained control over who can query
data from cache (as opposed to from recursion or authoritative data), so
in theory this should become less of an issue.
- Kevin
More information about the bind-users
mailing list