cPanel Forums
03-02-2006, 02:15 PM
|
|||
|
|||
|
dns server recursive lookups bad?
DNS report reports:
Test Name: Open DNS servers Status: Fail ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it. This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are: Server x.x.x.1. reports that it will do recursive lookups. Server x.x.x.2. reports that it will do recursive lookups. Server x.x.x.3. reports that it will do recursive lookups. I believe this used to be listed as a warning since I setup my cpanel server two years ago but I never thought much of it. Now that they have changed the status to fail I assume they are aware of real-world problems caused by it more than just a tiny tiny bit of load. 1.) is setting named to allow recursive lookups the default for cpanel? Or have I done something wrong. 2.) are people following dnsreport.com's advice now and turning recursive lookups off so cpanel dns will only reply for domains specifically hosted by our servers? 2.) how would this be done?     
|
|
03-02-2006, 02:30 PM
|
||||
|
||||
|
You can read the CERT explanation here:
http://www.us-cert.gov/reading_room/...sion121605.pdf
|
|
03-02-2006, 02:39 PM
|
|||
|
|||
|
So what is the correct way to turn off recursion without breaking anything on a whm/cpanel server?
Is this the correct thing to add to the named.conf options { allow-recursion { 127.0.0.1; xxx.xxx.xxx.xxx; }; }; with xxx.xxx.xxx.xxx the server's primary IP used for exim?
|
|
03-02-2006, 03:10 PM
|
||||
|
||||
|
In addition to 127.0.0.1 that line should include all IPs on the server plus other IPs that you want to allow recursion.
ACLs are another way to handle this. http://www.net.cmu.edu/groups/netdev...9ARM.ch07.html For instance we use this type of config: acl "trusted" { "main server IP"; 127.0.0.1; "name server IP"; "name server IP"; "additional secondary name server IP; "and so on"; }; options { directory "/var/named"; version "not currently available"; allow-recursion { trusted; }; allow-notify { trusted; }; allow-transfer { trusted; }; }; Last edited by sawbuck; 03-02-2006 at 03:23 PM.
|
|
03-03-2006, 12:48 AM
|
|||
|
|||
|
I just noticed the same thing when I was performing a DNS check on one of my domains.
Sawbuck The example config you provided...is that intended for named.conf or is it for another file? Also, I'm assuming it would go before everything else.
|
|
03-03-2006, 12:12 PM
|
||||
|
||||
|
Hi,
I've tried this and have a couple questions... I built up a couple ACLs using sawbuck's example as well as some of the info at the link he provided. These are the ACLs... // Set up an ACL named bogusnets that will block RFC1918 space, // which is commonly used in spoofing attacks. acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; }; // Set up an ACL named trusted that includes our IPs as well as those // for our providers back-up nameservers acl trusted { 127.0.0.1; xx.xx.xxx.xx; // my IPs xx.xx.xxx.xx; xx.xx.xxx.xx; xx.xx.xxx.xx; // some IPs for my DC back-up DNS server xx.xx.xxx.xx; }; Then I added these lines to my options statement options { directory "/var/named"; // the next 6 directives added by verdon see above version "not currently available"; allow-recursion { trusted; }; allow-notify { trusted; }; allow-transfer { trusted; }; blackhole { bogusnets; }; allow-query { trusted; }; }; Although this stuff seems to work, I notice a couple things... 1) DNSreports is now saying my primary nameserver (on my primary IP) is LAME. If I comment out the new options and re-start BIND, the LAME nameserver error goes away 2) when I restart BIND there are immediately a number of failed queries such as; client 211.78.130.2#41775: query 'domain.com/IN' denied Mar 3 11:47:30 rhythm named[10672]: The IP 211.78.130.2 routes to ns2.sparqnet.net which seems to be a hosting company in Taiwan. Is blocking this a good thing? Basically, I guess I'm asking, am I blocking too much with my additions to named.conf? Are there any thoughts about how to keep the recursive look-ups private without getting the lame nameserver error? Are the issues related? Thanks 
|
|
03-03-2006, 01:36 PM
|
||||
|
||||
|
Thanks all, this is very useful info.
Verdon, bearing in mind that I am not the Bind expert here, I wonder if your allow-query { trusted; }; entry is not too restrictive. Does that not block all queries from outside?
__________________
Stephen @ ANNO Internet
|
|
03-03-2006, 01:50 PM
|
||||
|
||||
|
Quote:
Yes, I believe that it would. I guess that I'm just wondering out loud, which outside queries I would want to allow? I was working from the example here http://www.net.cmu.edu/groups/netdev...9ARM.ch07.html
|
|
03-03-2006, 05:51 PM
|
|||
|
|||
|
does it matter where in named.conf this is placed?
Quote:
|
|
03-03-2006, 07:30 PM
|
|||
|
|||
|
Quote:
|
|
03-04-2006, 12:18 PM
|
||||
|
||||
|
Quote:
http://www.linuxsecurity.com/resourc...ame_server.pdf
|
 |
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT -5. The time now is 10:12 AM.
Powered by vBulletin® Version 3.8.2
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.
© cPanel Inc
