Open DNS Server
Evan Xinos
ex at bcapub.com
Fri Aug 11 18:50:57 UTC 2006
Try using an ACL for you recursion allowing only certain ip blocks to make
recursive queries
options {
you options here
allow-recursion { 192.168.0.0/26; };
}
__________________________________
Evan Xinos
System Support Analyst
BCA Publications
(514)499-9550 ext 222
mailto:evan at bcaresearch.com
http://www.bcaresearch.com
__________________________________
-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On Behalf
Of Jeffrey Stevens
Sent: Thursday, August 10, 2006 11:40 PM
To: bind-users at isc.org
Subject: Open DNS Server
Had a customer report the failure below running http://www.dnsreport.com. I
am looking that this thinking the obvious answer to to turn off recursion on
the authoritative server, but that would mean the customers other lookups
might start failing. I am also thinking of recommending running one server
as authoritative only and another as a caching server...but have I missed
anything?
FAIL - Open DNS servers - ERROR: One or more of your nameservers
reports that it is an open DNS server. This
usually means that anyone in the world can
query it for domains it is not authoritative
for (it is possible that the DNS server
advertises that it does recursive lookups
when it does not, but that shouldn't
happen). This can cause an
excessive load on your DNS server. Also, it
is strongly discouraged to
have a DNS server be both authoritative for
your domain and be recursive
(even if it is not open), due to the
potential for cache poisoning (with
no recursion, there is no cache, and it is
impossible to poison it).
Also, the bad guys could use your DNS server
as part of an attack, by forging their IP
address. Problem record(s) are:
Server 200.184.26.4 reports that it will do
recursive lookups. [test]
Server 200.184.103.230 reports that it will
do recursive lookups. [test]
--
Jeffrey Stevens
gpg --keyserver pgp.mit.edu --recv-keys D2E5A4E8
Key fingerprint: 1C86 8717 E485 FA4D B9EF 96E2 A1AC 4B00 D2E5 A4E8
****************************************************************************************************************************************************************************************************************************************************
The information contained in this e-mail transmission (including any accompanying attachments) is intended solely for its authorized recipient(s), and may be
confidential and/or legally privileged. If you are not an intended recipient, or responsible for delivering some or all of this transmission to an intended recipient, you have
received this transmission in error and are hereby notified that you are strictly prohibited from reading, copying, printing, distributing or disclosing any of the information
contained in it. Please note that BCA Publications Ltd accepts no liability for the content of this e-mail, or for the consequences of any actions taken on the basis of the
information provided. The recipient should check this e-mail and any attachments for the presence of viruses. The company accepts no liability for any damage caused
by any virus transmitted by this e-mail. Should you have any questions please contact BCA Publications Ltd at (514) 499-9550 or e-mail at support at bcaresearch.com.
****************************************************************************************************************************************************************************************************************************************************
More information about the bind-users
mailing list