The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

HOW-TO Close DNS Servers - ???

Discussion in 'Bind / DNS / Nameserver Issues' started by sh4ka, Mar 25, 2006.

Thread Status:
Not open for further replies.
  1. sh4ka

    sh4ka Well-Known Member

    Joined:
    May 12, 2005
    Messages:
    442
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    US
    cPanel Access Level:
    DataCenter Provider
    Have anyone tested this?

    Taken from www.forosdelweb.com and translated by me.., I would like to know if this is really possible to do, and if this will affect bind service over a cPanel + RH ES 3 box running the Release tree... ¿?
    Please I will apprecitate all your suggestions about this.

    Original post from http://www.forosdelweb.com/showthread.php?t=380556 :

    -------BEGINING POST TRANSLATION-------
    "Recently some new types of DDoS attacks have been taking place over the net, they involve the use of mis-configured DNS Servers, in this guide we will diagnose our DNS Servers to see if they accept recursive connections and if the do, we will solve the problem.

    Diagnose,

    To diagnose the DNS server I recommend an excellent free website: http://www.dnsreport.com/
    In the left field type your domain name (without www) and press "DNS Report".
    Study very carefully the report information:
    A yellow box means non-critical problems a red picture means a problem that requires our attention.
    The line "Open DNS server", if that line is in red and text content is something like these:

    Code:
    ERROR: One or more of your nameservers reports that it is an open DNS server.
    This usually means that anyone in the world can query it for domains it is not authoritative 
    for (it is possible that the DNS server advertises that it does recursive lookups when it does not,
     but that shouldn't happen). This can cause an excessive load on your DNS server. 
    Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and
     be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, 
    there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server 
    as part of an attack, by forging their IP address. Problem record(s) are:
    xx.xx.xx.xx
    xx.xx.xx.xx
    
    If that line is red and the alert is something like that, that means that your server is vulnerable, otherwise if it is not red, you just can forget this guide because it is OK.

    Fixing an Open DNS Server

    Note: this instruccions are only for BIND service, search in google if you are using another type of DNS server.

    xxx.xx.xx.xx = YOUR SERVER IP

    1- Login as root
    2- Edit file /etc/named.conf with your favourite text editorl, for example: vi /etc/named.conf
    3- In the top of the file (first line) type the following lines:

    Code:
    acl local-net-addrs { 127.0.0.1; xxx.xx.xx.xx;};
    
    where xxx.xx.xx.xx is YOUR IP, if you have more than one you can use ";" to put them there, or use the cidr format like this: xx.xx.xx.xx/27

    4- Search for section "options" inside the named file and paste the next line:
    Code:
    allow-recursion { local-net-addrs; };
    
    5.- Delete everything that looks like:
    Code:
    acl { xx.xx.xx.xx}
    
    SAVE AND RESTART NAMED SERVICE.

    Now run the dnsreport.com test again to make sure that the warning message is gone.. and to verify that your server is properly resolving internal and external domains, you can do it using the "dig" command -- dig domain.com --

    Ready, now our DNS server is a little bit more secure.."

    ---- END OF THE POST TRANSLATION---
     
    #1 sh4ka, Mar 25, 2006
    Last edited: Mar 25, 2006
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    This has already been discussed at length in other dns recursion threads, please search before starting another one unnecessarily.
     
Loading...
Thread Status:
Not open for further replies.

Share This Page