possible secuirty problem

[silvernetuk]

Hi,

When in Windows Dos if I do a nslookup command then type server ns1.silverdns.com then type ls silvernetuk.net it list the following

& ls silvernetuk.net
[ns1.silverdns.com]
silvernetuk.net. NS server = ns1.silverdns.com
silvernetuk.net. NS server = ns2.silverdns.com
silvernetuk.net. A 66.xxx.xx.2
billing A 66.xxx.xx.2
cp A 66.xxx.xx.2
demosite A 66.xxx.xx.2
forum A 66.xxx.xx.2
forums A 66.xxx.xx.2
ftp A 66.xxx.xx.2
localhost A 127.0.0.1
members A 66.xxx.xx.2
olddesign A 66.xxx.xx.2
support A 66.xxx.xx.2
thesales A 66.xxx.xx.2
&


So I am doing the following commands to get this

C:\nslookup
Default Server: dns-loh-tb.proxy.aol.com
Address: 195.93.33.134

& server ns1.silverdns.com
Default Server: ns1.silverdns.com
Address: 66.xxx.xx.3

& ls silvernetuk.net
[ns1.silverdns.com]
silvernetuk.net. NS server = ns1.silverdns.com
silvernetuk.net. NS server = ns2.silverdns.com
silvernetuk.net. A 66.xxx.xx.2
billing A 66.xxx.xx.2
cp A 66.xxx.xx.2
demosite A 66.xxx.xx.2
forum A 66.xxx.xx.2
forums A 66.xxx.xx.2
ftp A 66.xxx.xx.2
localhost A 127.0.0.1
members A 66.xxx.xx.2
olddesign A 66.xxx.xx.2
support A 66.xxx.xx.2
thesales A 66.xxx.xx.2


How do I stop this from listed the above, when doing the above nslookup command, as I have been told a lot of other host block this as you can see by the one I have done on yahoo


C:\nslookup
Default Server: dns-loh-tb.proxy.aol.com
Address: 195.93.33.134

& server ns5.yahoo.com
Default Server: ns5.yahoo.com
Address: 64.58.77.85

& ls yahoo.com
[ns5.yahoo.com]
*** Can't list domain yahoo.com: Query refused

How do I get mine to do that ?

Regards,
Garry

 

[dgbaker]

In the named.conf between controls and zone add options.

controls {
inet 127.0.0.1 allow { localhost; } keys { "rndckey"; };

};

options {
allow-transfer { none; };
};

zone "." {
type hint;
file "/var/named/named.ca";
};



Restart named.

 

[silvernetuk]

Hi David,

Thank you for that :D

Regards,
Garry

 

[casey]

Hi guys,

I tried this, and it caused BIND to fail. Did I do something wrong?
After removing the code, BIND works fine, but I'd really like this option...
Can't have it both ways?

 

[dgbaker]

Did you restart named after making change?
Are you editing it with pico or vi?
Editing /etc/named.conf?

This shouldn't cause bind to fail at all. Check for typos and exact syntax. Aslo ensure that it is exactly where it is required and that no Zone info before it.

 

[casey]

I'm editing with pico.
etc/named.conf

However, all I did was restart bind. How do I restart named?

Thanks,

Casey

 

[dgbaker]

Easiest in SSH
cd /etc/init.d
./named restart

 

[ecoutez]

If Bind (which IS named) fails to start, look at the tail of /var/log/messages and you'll find the reason. Most likely a syntax error like a missing or extra ;

- Jason

 

[casey]

It says,

Mar 11 20:08:21 server2 named[9250]: no longer listening on 162.42.211.135#53
Mar 11 20:08:21 server2 named[9247]: exiting
Mar 11 20:08:21 server2 named: named shutdown succeeded
Mar 11 20:08:21 server2 named[9290]: starting BIND 9.2.1 -u named
Mar 11 20:08:21 server2 named[9290]: using 1 CPU
Mar 11 20:08:21 server2 named[9293]: loading configuration from '/etc/named.conf'
Mar 11 20:08:21 server2 named[9293]: /etc/named.conf:28: 'options' redefined near 'options'
Mar 11 20:08:21 server2 named[9293]: loading configuration: already exists
Mar 11 20:08:21 server2 named[9293]: exiting (due to fatal error)
Mar 11 20:08:21 server2 named: named startup failed


I copied and pasted it inbetween the lines above just as David said to do.

 

[Juanra]

That simply means that you've got two

options {

};

blocks, but you must only have one.

 

[casey]

Yahoo! That did it. Thanks Juanra, Jason, and David!

 

[jamesbond]

options {
allow-transfer { none; };
};

Sorry for digging up this old thread, but I was wondering the following
if ns2 is on the same server as ns1, is it then necessary to add the ip address of ns2 to allow-transfer as well?

Also I noticed some people put 127.0.0.1 in there, but that's not necessary is it?

 

[chirpy]

There is a nicer example on the forums for this. For AXFR's I don't believe you need the other IPs as it doesn't need to do transfers with itself. This is the one:
http://forums.cpanel.net/showthread.php?t=15922

 

[jamesbond]

There is a nicer example on the forums for this. For AXFR's I don't believe you need the other IPs as it doesn't need to do transfers with itself. This is the one:
http://forums.cpanel.net/showthread.php?t=15922

I was looking at that one as well. I know it's probably not necessary but I've added 127.0.0.1, ns1, ns2 and the main ip just to be on the safe side

What I have now is this :

acl trusted {
127.0.0.1;
ns1 ip;
ns2 ip;
main ip;
};

options {
version "currently unavailable";
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };
};

I was also looking at the allow-query command. Doesn't it make sense to only allow queries for domains that belong to your server (or network) instead of allowing queries for any domain? Or does allow-recursion already take care of this?

 

[chirpy]

Yup. You don't want to block allow-query otherwise your domains won't resolve, the allow-recursion stops outsiders using your server for DNS resolution of zones not on your server, which could cause more issues than the primary issue of allowing full zone transfers.