Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

HOW-TO Close DNS Servers - ???

Discussion in 'Bind/DNS/Nameserver' started by sh4ka, Mar 25, 2006.

Thread Status:
Not open for further replies.
  1. sh4ka

    sh4ka Well-Known Member

    May 12, 2005
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    DataCenter Provider
    Have anyone tested this?

    Taken from and translated by me.., I would like to know if this is really possible to do, and if this will affect bind service over a cPanel + RH ES 3 box running the Release tree... ¿?
    Please I will apprecitate all your suggestions about this.

    Original post from :

    "Recently some new types of DDoS attacks have been taking place over the net, they involve the use of mis-configured DNS Servers, in this guide we will diagnose our DNS Servers to see if they accept recursive connections and if the do, we will solve the problem.


    To diagnose the DNS server I recommend an excellent free website:
    In the left field type your domain name (without www) and press "DNS Report".
    Study very carefully the report information:
    A yellow box means non-critical problems a red picture means a problem that requires our attention.
    The line "Open DNS server", if that line is in red and text content is something like these:

    ERROR: One or more of your nameservers reports that it is an open DNS server.
    This usually means that anyone in the world can query it for domains it is not authoritative 
    for (it is possible that the DNS server advertises that it does recursive lookups when it does not,
     but that shouldn't happen). This can cause an excessive load on your DNS server. 
    Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and
     be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, 
    there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server 
    as part of an attack, by forging their IP address. Problem record(s) are:
    If that line is red and the alert is something like that, that means that your server is vulnerable, otherwise if it is not red, you just can forget this guide because it is OK.

    Fixing an Open DNS Server

    Note: this instruccions are only for BIND service, search in google if you are using another type of DNS server.

    xxx.xx.xx.xx = YOUR SERVER IP

    1- Login as root
    2- Edit file /etc/named.conf with your favourite text editorl, for example: vi /etc/named.conf
    3- In the top of the file (first line) type the following lines:

    acl local-net-addrs {; xxx.xx.xx.xx;};
    where xxx.xx.xx.xx is YOUR IP, if you have more than one you can use ";" to put them there, or use the cidr format like this: xx.xx.xx.xx/27

    4- Search for section "options" inside the named file and paste the next line:
    allow-recursion { local-net-addrs; };
    5.- Delete everything that looks like:
    acl { xx.xx.xx.xx}

    Now run the test again to make sure that the warning message is gone.. and to verify that your server is properly resolving internal and external domains, you can do it using the "dig" command -- dig --

    Ready, now our DNS server is a little bit more secure.."

    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #1 sh4ka, Mar 25, 2006
    Last edited: Mar 25, 2006
  2. chirpy

    chirpy Well-Known Member Verifed Vendor

    Jun 15, 2002
    Likes Received:
    Trophy Points:
    Go on, have a guess
    This has already been discussed at length in other dns recursion threads, please search before starting another one unnecessarily.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice