Open DNS relay?

**FestiveHosting** · 07-31-2006, 04:58 AM

While conducting a scan on my DNS server, I received the following:

ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are:
Server reports that it will do recursive lookups. [test]
Server reports that it will do recursive lookups. [test]

Is there any risk by closing this?

**Andre** · 07-31-2006, 05:06 AM

cPanel will automatically leave the DNS server open. In my opinion it is hardly a risk to leave it open, but you may feel free to close it, there are no risks involved with that.

**CPUBUM** · 08-31-2006, 03:48 PM

Originally Posted by FestiveHosting

ERROR: One or more of your nameservers reports that it is an open DNS server.

You can lock down your DNS but you have to enter all your IP addresses as trusted otherwise you will not be able to talk to the outside world. Doing this wrong can cause you to get LOCKED out of your server or all your email to stop working. run this script on your server to build the changes you need to make to your /etc/named.conf file:

Code:

#!/usr/bin/perl

@ips = `ifconfig`;
chomp @ips;

print "\n\nacl \"trusted\" {\n";
foreach my $line (@ips) {
        if ($line =~ /inet addr:(\d+\.\d+\.\d+\.\d+)/) {
                print "        $1;\n";
        }
}
print "};\n\n";
print "options {\n";
print "        directory \"/var/named\";\n";
print "        dump-file \"/var/named/data/cache_dump.db\";\n";
print "        statistics-file \"/var/named/data/named_stats.txt\";\n";
print "        version \"not currently available\";\n";
print "        allow-recursion { trusted; };\n";
print "        allow-notify { trusted; };\n";
print "        allow-transfer { trusted; };\n";
print "};\n\n"

After you run the above, use the output to replace the OPTIONS part with the generated output.

I know if works, cause we have it locked down on our servers. If you add or remove IP addresses from your server, you will need to UPDATE these in the /etc/named.conf file.

Not sure about VPS... Andre will will have to address that, we have dedicated.

CB

LinkBack

Thread Tools

Display

Open DNS relay?

Bookmarks

Bookmarks

Posting Permissions