Open DNS Server - DNS

This is a discussion on Open DNS Server - DNS ; Had a customer report the failure below running http://www.dnsreport.com . I am looking that this thinking the obvious answer to to turn off recursion on the authoritative server, but that would mean the customers other lookups might start failing. I ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Open DNS Server

  1. Open DNS Server

    Had a customer report the failure below running http://www.dnsreport.com. I am
    looking that this thinking the obvious answer to to turn off recursion on the
    authoritative server, but that would mean the customers other lookups might
    start failing. I am also thinking of recommending running one server as
    authoritative only and another as a caching server...but have I missed anything?

    FAIL - Open DNS servers - ERROR: One or more of your nameservers
    reports that it is an open DNS server. This
    usually means that anyone in the world can
    query it for domains it is not authoritative
    for (it is possible that the DNS server
    advertises that it does recursive lookups
    when it does not, but that shouldn't
    happen). This can cause an
    excessive load on your DNS server. Also, it
    is strongly discouraged to
    have a DNS server be both authoritative for
    your domain and be recursive
    (even if it is not open), due to the
    potential for cache poisoning (with
    no recursion, there is no cache, and it is
    impossible to poison it).
    Also, the bad guys could use your DNS server
    as part of an attack, by forging their IP
    address. Problem record(s) are:
    Server 200.184.26.4 reports that it will do
    recursive lookups. [test]
    Server 200.184.103.230 reports that it will
    do recursive lookups. [test]
    --
    Jeffrey Stevens
    gpg --keyserver pgp.mit.edu --recv-keys D2E5A4E8
    Key fingerprint: 1C86 8717 E485 FA4D B9EF 96E2 A1AC 4B00 D2E5 A4E8



  2. Re: Open DNS Server


    Jeffrey Stevens wrote:
    > Had a customer report the failure below running http://www.dnsreport.com. I am
    > looking that this thinking the obvious answer to to turn off recursion on the
    > authoritative server, but that would mean the customers other lookups might
    > start failing. I am also thinking of recommending running one server as
    > authoritative only and another as a caching server...but have I missed anything?
    >
    > FAIL - Open DNS servers - ERROR: One or more of your nameservers
    > reports that it is an open DNS server. This
    > usually means that anyone in the world can
    > query it for domains it is not authoritative
    > for (it is possible that the DNS server
    > advertises that it does recursive lookups
    > when it does not, but that shouldn't
    > happen). This can cause an
    > excessive load on your DNS server. Also, it
    > is strongly discouraged to
    > have a DNS server be both authoritative for
    > your domain and be recursive
    > (even if it is not open), due to the
    > potential for cache poisoning (with
    > no recursion, there is no cache, and it is
    > impossible to poison it).
    > Also, the bad guys could use your DNS server
    > as part of an attack, by forging their IP
    > address. Problem record(s) are:
    > Server 200.184.26.4 reports that it will do
    > recursive lookups. [test]
    > Server 200.184.103.230 reports that it will
    > do recursive lookups. [test]
    > --
    > Jeffrey Stevens
    > gpg --keyserver pgp.mit.edu --recv-keys D2E5A4E8
    > Key fingerprint: 1C86 8717 E485 FA4D B9EF 96E2 A1AC 4B00 D2E5 A4E8


    I think it is always a good idea that if you have an external facing
    dns server that you disable recursive lookups on it. I don't know what
    sort of situation you're in, but I would normally recommend two
    different servers, one for the internal network (read: not externally
    accessible), and one for the external network (read: internet
    accessible). However, depending on your situation, if you only have
    one server to dedicate for this, you can set it so that it only allows
    recursive lookups for internal IP addresses:

    allow-recursion { 127.0.0.1; 192.168.0.0/24; };

    in the options section of your bind config.



  3. Re: Open DNS Server

    >
    > I think it is always a good idea that if you have an external facing
    > dns server that you disable recursive lookups on it. I don't know what
    > sort of situation you're in, but I would normally recommend two
    > different servers, one for the internal network (read: not externally
    > accessible), and one for the external network (read: internet
    > accessible). However, depending on your situation, if you only have
    > one server to dedicate for this, you can set it so that it only allows
    > recursive lookups for internal IP addresses:
    >
    > allow-recursion { 127.0.0.1; 192.168.0.0/24; };
    >
    > in the options section of your bind config.


    Even so, with this line in my bind config a query from a remote host
    fails. However, if I fire that same query from the internal network it
    succeeds.

    This is intended.

    If you then retest that query from the remote host it also succeeds.

    So initial queries fail, but succesfull queries from the internal lan will
    build a cache and it will even return those results to a remote host
    quering for that same name. Not sure if that was intended or not.

    This in Bind 9.2.1 which is shipped with debian. 3.1

    Kind regards,

    Seth



+ Reply to Thread