Jeffrey Stevens wrote:
> Had a customer report the failure below running http://www.dnsreport.com. I am
> looking that this thinking the obvious answer to to turn off recursion on the
> authoritative server, but that would mean the customers other lookups might
> start failing. I am also thinking of recommending running one server as
> authoritative only and another as a caching server...but have I missed anything?
>
> FAIL - Open DNS servers - ERROR: One or more of your nameservers
> reports that it is an open DNS server. This
> usually means that anyone in the world can
> query it for domains it is not authoritative
> for (it is possible that the DNS server
> advertises that it does recursive lookups
> when it does not, but that shouldn't
> happen). This can cause an
> excessive load on your DNS server. Also, it
> is strongly discouraged to
> have a DNS server be both authoritative for
> your domain and be recursive
> (even if it is not open), due to the
> potential for cache poisoning (with
> no recursion, there is no cache, and it is
> impossible to poison it).
> Also, the bad guys could use your DNS server
> as part of an attack, by forging their IP
> address. Problem record(s) are:
> Server 200.184.26.4 reports that it will do
> recursive lookups. [test]
> Server 200.184.103.230 reports that it will
> do recursive lookups. [test]
> --
> Jeffrey Stevens
> gpg --keyserver pgp.mit.edu --recv-keys D2E5A4E8
> Key fingerprint: 1C86 8717 E485 FA4D B9EF 96E2 A1AC 4B00 D2E5 A4E8

I think it is always a good idea that if you have an external facing
dns server that you disable recursive lookups on it. I don't know what
sort of situation you're in, but I would normally recommend two
different servers, one for the internal network (read: not externally
accessible), and one for the external network (read: internet
accessible). However, depending on your situation, if you only have
one server to dedicate for this, you can set it so that it only allows
recursive lookups for internal IP addresses:

allow-recursion { 127.0.0.1; 192.168.0.0/24; };

in the options section of your bind config.

>
> I think it is always a good idea that if you have an external facing
> dns server that you disable recursive lookups on it. I don't know what
> sort of situation you're in, but I would normally recommend two
> different servers, one for the internal network (read: not externally
> accessible), and one for the external network (read: internet
> accessible). However, depending on your situation, if you only have
> one server to dedicate for this, you can set it so that it only allows
> recursive lookups for internal IP addresses:
>
> allow-recursion { 127.0.0.1; 192.168.0.0/24; };
>
> in the options section of your bind config.

Even so, with this line in my bind config a query from a remote host
fails. However, if I fire that same query from the internal network it
succeeds.

This is intended.

If you then retest that query from the remote host it also succeeds.

So initial queries fail, but succesfull queries from the internal lan will
build a cache and it will even return those results to a remote host
quering for that same name. Not sure if that was intended or not.

This in Bind 9.2.1 which is shipped with debian. 3.1

Kind regards,

Seth