DNS Servers are open

C

chartmusic

Verified User
Joined
Sep 27, 2006
Messages
50
Location
North Devon
I have an Open DNS Server
http://member.dnsstuff.com/info/opendns.php
An open DNS server is a DNS server that responds to recursive queries (queries for domains that the DNS server is not authoritative for, such as websites that you go to, or domains that you send mail to, rather than your own domain), and does so for anyone (rather than just clients on your local network).

When DNS servers and mailservers were originally put into use, they were all open. That's just how the Internet was way back when. Over the years, spammers started relaying through open relays, so the best practice became not to run open relay mailservers. For quite a few years now, best practice has been not to have a DNS server be both authoritative and caching (doing recursive lookups). But most DNS servers are still open.

The problem is that there are now DDoS attacks (attacks that send lots of data to a computer, so that it becomes overloaded) that use open DNS servers, using amplification (sending small packets to a computer that then sends large packets to the victim, making it possible to send more data to the victim). Specifically, a UDP DNS packet is sent with a forged source IP address (the one of the victim), and a query is made in a small packet (about 75 bytes) for a domain that has a very large response packet (using EDNS0, it can be 4,000 or more bytes). The response packet then goes to the victim. The victim gets about 50 times as much data as the attacker is sending out. So with a dialup connection, they could saturate a T1 line.



NOTE: These instructions show you how to completely disable recursion. This is the best practice. However, if you need to run a DNS server that is both authoritative and recursive/caching, you will need to check the DNS server documentation to find out how to enable recursive lookups only for your local network. It seems that there is no way to do this with Microsoft DNS; if so, you will need to use other DNS server software or use a hosted DNS service. If anyone is aware of a way to get Microsoft DNS to allow recursion only to specific IP ranges, please let us know -- lots of people would like to do that.

....

Fixing BIND

* Open named.conf with a text editor
* Use a line "recursion no;" in the "options" clause (or in the "view" clause)
* If you need to enable recursion for your local network, you can use a "allow-recursion { ADD_LIST_OF_YOUR_IP_RANGES_HERE; }" line in the "options" section.
* [Use caution; BIND files are easy to break]
* For complete hardening, see http://www.cymru.com/Documents/secure-bind-template.html.
Click to expand...

Do we have an example named.conf so I don't mess it up.
Also once the amendment is saved, does any process have to be restarted?
 
Code: 
//
// named.conf for Red Hat caching-nameserver
//

options {
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        recursion no;
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
         // query-source address * port 53;
};
 
Now added recursion no line.

Had to restart named service before it took effect, but all is now good.

Thank you floyd :D
 
Had to restart named service before it took effect
Click to expand...

I forgot to tell you that.

You have to restart named after making the change. :)
 
Check to make sure it's good.

Log in to your server through a shell, and do:
Code: 
nslookup nobaloney.com
Do you get a good reply showing a non-authoritative answer for nobaloney.com with an IP#?

Do you get it quickly without any long wait or timeout?

If not, then check the contents of your /etc/resolv.conf file. Once you've made your nameserver nonrecursive it should not be listed in resolv.conf, but you must have at least one (preferably two) working recursive nameservers listed there by IP#.

Note you do not have to restart anything after making changes to the resolv.conf file, but be sure to do a test nslookup to make sure the new contents work.

Jeff
 
I've added no recursion to my bind9 configuration and some of my customers are complaining they cannot resolve their domain from their work, but it works fine at home.

I never had complains about this before adding the "no recursion" option to bind9. What else do I need to change in the bind9 config to make sure that both my dns server is oke and my customers aren't complaining?

Thanks a lot!

Regards, Jeroen.
 
options {
directory "/etc/namedb";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";

allow-transfer {
"external_secondaries"; };
allow-recursion {
"external_secondaries";
"internal_addresses"; };
blackhole { "bogusnets"; };
version "named";
auth-nxdomain no;
listen-on { "listen_ipaddress"; };
};

logging {
category notify { null; };
category lame-servers { null; };
};

acl "external_secondaries" {
<slave1IPAddr>;
<slave2IPAddr>;
<slave3IPAddr>;
};

acl "internal_addresses" {
127.0.0.1;
<internalIPAddr1>; <internalIPAddr2>;
<internalIPAddr3>; <internalIPAddr4>;
};

acl "bogusnets" {
0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24;
224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
};

acl "listen_ipaddress" {
<IPAddrofThisDNSServer>;
};
 
Does anyone use NetCop for monitoring their servers? We do and when I put recurisve no; I get error messages from NetCop for some strange reason + the problems I described in my earlier posting.

Thanks and regards,

Jeroen.
 
it didnt work for me they are still open.

FAIL Open DNS servers ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are:

Server 217.170.*.* reports that it will do recursive lookups. [test] Server 217.170.*.* reports that it will do recursive lookups. [test] See this page for info on closing open DNS servers.


/etc/named.conf

//
// named.conf for Red Hat caching-nameserver
//

options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
allow-transfer {
"external_secondaries"; };
allow-recursion {
"external_secondaries";
"internal_addresses"; };
version "named";
auth-nxdomain no;
listen-on { "listen_ipaddress"; };
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};

//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

logging {
category notify { null; };
category lame-servers { null; };
};

acl "external_secondaries" {
217.170.*.1;
217.170.*.2;
};

acl "internal_addresses" {
127.0.0.1;
217.170.*.1; 217.170.*.2;
};

zone "." IN {
type hint;
file "named.ca";
};

zone "localdomain" IN {
type master;
file "localdomain.zone";
allow-update { none; };
};

acl "listen_ipaddress" {
217.170.*.1;


};
 
Did you restart named after making the change?

Since you did not provide the full ip address there is no way we can double check it for for you. There is no reason to hide something you want the public to know. See here
 
You must log in or register to reply here.
Back
Top