Securing Named

vandal

Verified User
Joined
Oct 22, 2003
Messages
522
Location
Calgary, AB
There is a new check at dnsstuff.com which checks for open DNS.

I tested mine as such:

http://www.dnsreport.com/tools/dnsreport.ch?domain=thinkwebmedia.com

if you failed on the open DNS here is how you can secure this:

Code:
nano -w /etc/named.conf

acl "trusted" {
        11.22.33.44;
        44.33.22.11;
        66.55.44.33;
        127.0.0.1;
};

options {
        directory "/var/named";
        version "not currently available";
        allow-recursion { trusted; };
        allow-notify { trusted; };
        allow-transfer { trusted; };
};

Add all your dns servers in your cluster, including your own to the ip list under the trusted acl, then added the extra information to the "options" section.

Also, there is a "version" declartion there where can hide your version of named.

restart named and you are good to go.

good luck all!
 
Last edited:
Though the location of the named.conf file may differ, and the and restart command may differ, the rest of the instructions should be the same.

Jeff
 
Note this isn't a 100% fix, i am still reasearching and will update this thread, although it stops a lot of abuse like poisining the cache, or using your name server as an attack (to flood other name servers for queries off the net).
 
I do something similar, but use a little different. Just thought I'd post mine in case you want to control it a little differently.

Code:
options {
        directory "/var/named";
        allow-transfer {
                "external_secondaries"; };
        allow-recursion {
                "external_secondaries";
                "internal_addresses"; };
        blackhole {
                "bogusnets"; };
        version "dilligaf";
        auth-nxdomain no;
        listen-on {
                "listen_ipaddress"; };
};      

logging {
        category notify { null; };
        category lame-servers { null; };
};

acl "external_secondaries" {
        <slave1IPAddr>;
        <slave2IPAddr>;
        <slave3IPAddr>;
};

acl "internal_addresses" {
        127.0.0.1;
        <internalIPAddr1>; <internalIPAddr2>;
        <internalIPAddr3>; <internalIPAddr4>;
};

acl "bogusnets" {
        0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24;
        224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
};

acl "listen_ipaddress" {
        <IPAddrofThisDNSServer>;
};

You could also add a "trusted" under the recursion section, and just add any ip addr that you want to be trusted to do recursion, but that doesn't do anything else.
 
Last edited:
I added my dns servers to the trusted to my named.conf and users found they couldn't send email to external email addresses. My named.conf looked like this:

//Start
acl "trusted" {ns1.ip;ns2.ip;ns3.ip;127.0.0.1;};
options {
directory "/var/named";
version "100.100.100";
allow-transfer { ns1.ip; ns2.ip; ns2.ip; };
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };
};
include "/etc/rndc.key";

Any reason why this should fail?

Does DA honour the changes made in named.conf or should the file be copied to the custom directory.

Jon
 
Sounds to me like you have resolv.conf set to resolve to yourself (the server) and not to an external DNS server (usually your hosting companies DNS servers).
 
Can't I just add resursion no; to the named.conf file?

I did just that and DNSReports says that I am fine. Is that all I need to do?

I don't use my own servers for lookups, I use my upstreams.

Thanks,
Phil
 
jw00dy said:
did you make it allow-recursion no;

And did you put it in the options section?

I just added:

recursion no;

in the options section, restarted and it seems to have fixed it for DNSReports, but I wanted to know if it really fixed it.

Thanks,
Phil
 
If you want to know if it works do this:

from a different machine type:

nslookup server=<ip addr> <enter>

Then try and lookup a domain not hosted on that dns server. Like Google.com or something.

It should not work.
 
jw00dy said:
I do something similar, but use a little different. Just thought I'd post mine in case you want to control it a little differently.

Thanks jw00dy, this's what I finding.
 
That fixes your nameserver.

The much more important issue is whether or not that causes an additional problem.

From any prompt on your server (for example your admin login prompt $):

$ nslookup nobaloney.net

If you can't lookup my domain you/ve broken domain lookups from your server, which will affect outgoing email and slow down your login and other connections, and make it impossible for any of your daemons to log domain names in your logs.

The fix for that is to make sure that your file:

/etc/resolv.conf

lists at least two nameservers, both of which are working servers on a network local to your server, and neither of which are actually your nameserver.

It's been very easy to just use your local nameserver as its own nameserver, and over the years many of us have used that shortcut, but it doesn't any longer work if your local nameserver is set to not do recursion.

Jeff
 
Originally posted by jlasman

The fix for that is to make sure that your file:

/etc/resolv.conf

lists at least two nameservers, both of which are working servers on a network local to your server, and neither of which are actually your nameserver.


Jeff

It has to be local servers on your network and not servers in seperate locations which is what I use to add redundancy should my local network fail?

Jon
 
Last edited:
What you want is highspeed resolution. That's what you get on your local network.

Do you misunderstand the purpose of /etc/resolv.conf? This is the list of nameservers THIS machine will use. If the local network fails the local machine isn't going to be able to get to an off-network nameserver anyway. Or anywhere else off-network, in fact.

Jeff
 
when i cat file resolv.conf system return

Code:
#search wedonow.com
#nameserver 202.134.16.100
nameserver 202.134.18.37
nameserver 208.67.222.222
This is normaly ???
 
Back
Top