- Status
I do the instruction ,but now when i go to nslookup.exe and type
> is adomainname.com
it show me a list of names and not show your written message.
what's the problem ?
regrad
> is adomainname.com
it show me a list of names and not show your written message.
what's the problem ?
regrad
I do the instruction but now when i go to nslookup.exe and type
> is adomainame.com
is show me a list of names !
What's the problem ?
Regard
> is adomainame.com
is show me a list of names !
What's the problem ?
Regard
Here is what we are using at the moment. Add this after controls. Make sure that you have no more options as it is will cause bind/named to fail.
There slaves are the Slave DNS servers, masters are the Master DNS servers and trusted are the server you trust and allow to do recursive lookups and request the DNS zones in full. Usually save to keep by default.
This will also generate the statistics file to the "/var/run/named/named.stats" (not forget to execute "/usr/sbin/ndc stats" prior!)
It could be used by MRTG for example.
P.S. I'm not sure if the allow-notify should include masters only. It is supposed to add there hosts which may force zone update, isn't it? So they should be the Master DNS servers only? Anyone who using DNS clusters to clear this up?
Code:
acl "slaves" {
127.0.0.1; localhost;
};
acl "masters" {
127.0.0.1; localhost;
};
acl "trusted" {
127.0.0.1; localhost;
};
logging {
category lame-servers { null; };
};
options {
statistics-file "/var/run/named/named.stats";
allow-transfer { slaves; masters; trusted; };
allow-recursion { trusted; };
allow-notify { masters; };
};This will also generate the statistics file to the "/var/run/named/named.stats" (not forget to execute "/usr/sbin/ndc stats" prior!)
It could be used by MRTG for example.
P.S. I'm not sure if the allow-notify should include masters only. It is supposed to add there hosts which may force zone update, isn't it? So they should be the Master DNS servers only? Anyone who using DNS clusters to clear this up?
Last edited:
Probably overkill using so many ACL's. This is what I use, which will achieve the same thing:
Where the IP addresses all the other participants in your DNS cluster, including the server you are on, which makes it nice and easy to duplicate for all your servers.
Code:
acl "trusted" {
11.22.33.44;
44.33.22.11;
66.55.44.33;
127.0.0.1;
};
options {
directory "/var/named";
version "not currently available";
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };
};
Last edited:
Your setup is has sense also.
We just would like to tune each setting using "security through obscurity" method where everything shoulb be blocked, and then necessary things allowed only.
Do you have any valid information that using several ACLs in named.conf may slow down it?
I heard nothing about that.
We just would like to tune each setting using "security through obscurity" method where everything shoulb be blocked, and then necessary things allowed only.
Do you have any valid information that using several ACLs in named.conf may slow down it?
I heard nothing about that.
You don't need to have that line in there since /var/named is the default. I just like to have it to be sure that I know it's looking where it should - it's just an old habit.
When i set this up my firewall is now complaining.
Mar 5 14:00:16 srv07 named[20657]: client 111.111.111.111#52479: error sending response: host unreachable
Mar 5 14:00:16 srv07 kernel: ** OUT_UDP DROP ** IN= OUT=eth0 SRC=111.111.111.111 DST=222.222.222.222 LEN=77 TOS=0x00 PREC=0x00 TTL=64 ID=647 DF PROTO=UDP SPT=53 DPT=52479 LEN=57
Im not sure why its complaing. We have inbound outbound tcp/udp enabled on all firewalls on port 53.
Mar 5 14:00:16 srv07 named[20657]: client 111.111.111.111#52479: error sending response: host unreachable
Mar 5 14:00:16 srv07 kernel: ** OUT_UDP DROP ** IN= OUT=eth0 SRC=111.111.111.111 DST=222.222.222.222 LEN=77 TOS=0x00 PREC=0x00 TTL=64 ID=647 DF PROTO=UDP SPT=53 DPT=52479 LEN=57
Im not sure why its complaing. We have inbound outbound tcp/udp enabled on all firewalls on port 53.
Just checked the BIND docs for you, and yes you can use CIDR notation in the ACL definitions:CoolMike said:
http://www.isc.org/sw/bind/arm93/Bv9ARM.ch07.html#Access_Control_Lists
I'm sorry to keep such an old post alive, but there's something important here that doesn't appear to have been addressed yet. Let me explain...
A few weeks ago, I began using the "trusted" acl for allow-recursion, but I noticed that it didn't really stop the attacks (yes, it was implemented correctly). It wasn't until today, though, that I began looking into the issue more.
To keep a long story short, I found the following article on DynDNS that explains how to use views to separate what is allowed recursion and what is not:
"It's important to use views..., though - if you just use allow-recursion { recursive_clients; }; in a single view, you will still provide answers to other clients out of your cache, which is almost as bad as being wide open."
You can read the whole article, including a sample setup at:
http://www.dyndns.com/about/company/notify/archives/the_dangers_of_open_recursive_dns.html
My main worry is that the "views" solution will simply not be compatible with cPanel, since it involves modifying how the zones themselves are handled.
Does anyone have any comments regarding this "new" information? Why hasn't this been brought up before? Am I really the only one who continues to see "lame server resolving" errors in my messages despite following the solution previously outlined in this thread?
-- Matt
P.S. -- For now, I have begun using the blackhole option along with an "untrusted" acl to help cut down the number of immediate attacks. This is not a good solution, though, since I can't honestly keep adding IP after IP to this list.
A few weeks ago, I began using the "trusted" acl for allow-recursion, but I noticed that it didn't really stop the attacks (yes, it was implemented correctly). It wasn't until today, though, that I began looking into the issue more.
To keep a long story short, I found the following article on DynDNS that explains how to use views to separate what is allowed recursion and what is not:
"It's important to use views..., though - if you just use allow-recursion { recursive_clients; }; in a single view, you will still provide answers to other clients out of your cache, which is almost as bad as being wide open."
You can read the whole article, including a sample setup at:
http://www.dyndns.com/about/company/notify/archives/the_dangers_of_open_recursive_dns.html
My main worry is that the "views" solution will simply not be compatible with cPanel, since it involves modifying how the zones themselves are handled.
Does anyone have any comments regarding this "new" information? Why hasn't this been brought up before? Am I really the only one who continues to see "lame server resolving" errors in my messages despite following the solution previously outlined in this thread?
-- Matt
P.S. -- For now, I have begun using the blackhole option along with an "untrusted" acl to help cut down the number of immediate attacks. This is not a good solution, though, since I can't honestly keep adding IP after IP to this list.
These are the two things you want to add to secure your BIND:
This will make sure only zone transfers and recursion delegated to the IP addresses you specify here (your own DNS, backup DNS..etc) - DO NOT use 127.0.0.1 in the allow-recursion lines
Oh, and of course don't forget to chang the IPs I listed!!
Code:
// Restrict Zones transfer
allow-transfer {
20.0.0.1;
20.0.0.2;
};
// Restrict Recursion
allow-recursion {
20.0.0.1;
20.0.0.2;
};Oh, and of course don't forget to chang the IPs I listed!!
Last edited:
Thanks so much! I was worried I wouldn't get an answer.hicom said:
*OK, so this is the change in the
"etc/named.conf" file?
*And those need to be my IPs? I guess I just look up the IPs in that tool on WHM, correct?
*I also have a db server connected to my webserver and it doesn't have WHM on it. I believe the way it was set up the DNS server for it is my webserver...wait, actually it's IP only, there is no domain name on the db server. Does it even need a DNS server? (I guess so, because when I access IPAddress only, it still needs to talk to a DNS server to determine where that IP is, correct?) Sorry, I guess my question is, any danger to adding the dbserver's IP to that address?
Chirpy uses 127.0.0.1 (as indicated in an earlier post in this thread), but you're saying not to. What are the pros/cons of using/not using it?hicom said:
I am using 127.0.0.1 (in addition to my real IPs), but am still getting "lame server resolving" lines in my messages log due to recursive DNS DDoS attacks. Could this be why?
And what about DynDNS's advise to not use "allow-recursion" and to use "views" instead? DynDNS says that you're still responding to queries out of your cache even with "allow-recursion" set to only your own IPs.
-- Matt
Matt,
I just tested that theory and it does indeed resolve cached queries, though the risks would have to be much smaller since you're not going to know which zones are cached, making it pretty much useless as a recursive resolver. I'm going to investigate further...
I just tested that theory and it does indeed resolve cached queries, though the risks would have to be much smaller since you're not going to know which zones are cached, making it pretty much useless as a recursive resolver. I'm going to investigate further...
- Status
| Thread starter | Similar threads | Forum | Replies | Date |
|---|---|---|---|---|
| S | Cpanel security update to perl - LWP ssl problem | Security | 2 | |
| K | cPanel Security Certificate Problem | Security | 0 | |
| N | Help: CPanel Security Problem - www.step57.info | Security | 0 | |
| T | cPanel Security Problem - Lets you in with blank username | Security | 16 | |
|
Cpanel Security Problem | Security | 2 |