Our DNS is vulnerable --need help
Alans
batpower83 at yahoo.co.uk
Thu Oct 8 09:36:39 UTC 2009
Very nice, I got it, thanks every one.
Kind regards,
Alans
-----Original Message-----
From: Mark Elkins [mailto:mje at posix.co.za]
Sent: Thursday, October 08, 2009 12:22 PM
To: Alans
Subject: Re: Our DNS is vulnerable --need help
On Thu, 2009-10-08 at 11:15 +0300, Alans wrote:
> Hi List,
>
>
>
> According to this site (tool) http://recursive.iana.org/ our DNS is
> vulnerable (result is: Is recursive, with source port randomization)!
> It’s an ISP’s DNS so yes, recursion is available. What can we do to
> eliminate the risk?
Restrict queries to your customers. (in /etc/named.conf)
options {
directory "/var/bind";
listen-on-v6 { any; };
allow-query {
127.0.0.1;
160.124.0.0/16;
2001:42a0::/32;
192.96.24.0/21;
};
};
ie - my customers are on:- 160.124.0.0/16; - etc
If you have a checker tool and you run it internally - it'll obviously
still say you are 'open to recursion'.
If this is also an authoritative nameserver (you host a domain or two)
then...
(named.conf)
acl posix-cust { 160.124.0.0/16; 192.96.24.0/21; 127.0.0.1;
2001:42a0::/32; };
options {
directory "/var/bind";
listen-on-v6 { any; };
allow-query { any; };
allow-recursion { posix-cust; };
};
Anyone can ask non-recursive questions - but only customers can ask
recursive questions
--
. . ___. .__ Posix Systems - Sth Africa
/| /| / /__ mje at posix.co.za - Mark J Elkins, SCO ACE,
Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
More information about the bind-users
mailing list