9, February 2010

Securing - optimizing BIND - webmaster forum

 
Webdigity webmaster forums
[ Home | Help | Search | Forum's Shop | Archive | Login | Register | Webmaster Directory ]
Webdigity Webmaster Forums  >  Web Development  >  Security
Topic: Securing - optimizing BIND		 « previous next »
Pages: [1] Print

Author Topic: Securing - optimizing BIND  (Read 1756 times)
I am a metal monkey!
Administrator
Community Supporter ?
Jedai Sword Master
*****
Gender: Male
Posts: 5642
45485 credits
Members referred : 3
« on: Jun 24, 2007, 02:52:04 pm »
This post is regarding a low risk vulnerability in DNS servers called open DNS server. When a DNS server is open, means that it will serve DNS lookups for domains that do not exist in its own files. So for instance if your DNS server is open, it will give you a response for google.com and any other site that is not hosted in your box.

This is not actually a vulnerability, but when your DNS server is open, it can degrade performance of your DNS, and can cause your DNS servers to be used in an DOS attack.

So in order to close that you need to add this directive in your named.conf file in the options clause :

Code:
recursion no;

But wait a minute. This can cause a bigger problem. With no recursion your server wont be able to get DNS resolves so it wont be able to fetch data from the internet. So I guess this directive wont work well for most of the servers.

If that could be a problem to you, you can use this directive (instead of "recursion no") which will allow recursion to any ip range you want to.

Code:
allow-recursion {127.0.0.1; 192.168.0.1; };

Be sure to add a semicolon (Wink after each ip because BIND is very hard with directives and it wont work on any error Smiley

Hope you liked this small tutorial Smiley
« Last Edit: Jun 24, 2007, 02:53:39 pm by Nikolas »
Trial and Error my two best teachers Cool
Join us @ facebook or twitter

Last blog : Butterfly Marketing 2.0
WebDigity Gangsta
***
Posts: 105
564 credits
Members referred : 0
« Reply #1 on: Jul 01, 2007, 03:00:18 pm »
Nice article. I don't really understand why recursion no; isn't the standard option and you have to activate it if you really want your DNS to be open.

/Andreas
Global Moderator
Community Supporter ?
Jedai Sword Master
*****
Gender: Male
Posts: 6690
34708 credits
Members referred : 374


It's time to use PHP5!
« Reply #2 on: Jul 01, 2007, 10:34:53 pm »
is it possible to test if my server has some open DNS?
Website Monitoring Service

Free WordPress Themes
Magento Templates

Last blog : A new Wordpress theme for our blog
WebDigity Gangsta
***
Posts: 105
564 credits
Members referred : 0
« Reply #3 on: Jul 01, 2007, 10:55:42 pm »
At dnsstuff.com I got a warning about that for one of my NS, but that was before they started charging for access to their tools Sad You only get 10 tries after that you have to be a member.

/Andreas
Global Moderator
Community Supporter ?
Jedai Sword Master
*****
Gender: Male
Posts: 6690
34708 credits
Members referred : 374


It's time to use PHP5!
« Reply #4 on: Jul 01, 2007, 10:59:59 pm »
yes right (that suxxx). I used that test always until they changed that Sad

I guess there is some Linux command but which one? Smiley
Website Monitoring Service

Free WordPress Themes
Magento Templates

Last blog : A new Wordpress theme for our blog
I am a metal monkey!
Administrator
Community Supporter ?
Jedai Sword Master
*****
Gender: Male
Posts: 5642
45485 credits
Members referred : 3
« Reply #5 on: Jul 02, 2007, 07:51:03 pm »
You can still check using dnsstuff. Check http://www.dnsstuff.com/tools/dnsreport.ch?domain=YOURDOMAIN_HERE

Andreas, if you use recursion no, then the server wont be able to get dns records and download things from internet. For instance remote file_get_contents() and Curl will stop working.
Trial and Error my two best teachers Cool
Join us @ facebook or twitter

Last blog : Butterfly Marketing 2.0
Global Moderator
Community Supporter ?
Jedai Sword Master
*****
Gender: Male
Posts: 6690
34708 credits
Members referred : 374


It's time to use PHP5!
« Reply #6 on: Jul 02, 2007, 10:36:42 pm »
thanks to this tutorial my open DNS server is closed now (thanks!)
Website Monitoring Service

Free WordPress Themes
Magento Templates

Last blog : A new Wordpress theme for our blog
Trackback URI for this entry : http://www.webdigity.com/trackback.php?topic=6844
Tags : BIND security open DNS server Bookmark this thread : Digg Del.icio.us Dzone more....

Pages: [1] Print 
Webdigity Webmaster Forums  >  Web Development  >  Security
Topic: Securing - optimizing BIND		 « previous next »
Jump to:
User Area
Welcome, Guest. Please login or register.
Did you miss your activation email?
Feb 09, 2010, 08:40:30 pm





Login with username, password and session length

Donate to our community, and get a permanent link back to your site!

Donate to our community, and get a permanent link back to your site!


Forum Statistics
Total Posts: 43.771
Total Topics: 8.544
Total Members: 7.858
Tutorials : 58
Resources : 929
Designs : 357
Latest Member: netplayer

56 Guests, 5 Users online :

21 users online today:

Recent topics
[WTS] 7 Day Free Trial Vide...
Re: Capture webpage as pict...
Re: covert my .sfw file to ...
Re: Techie Videos - Upload ...
Re: PPC Campaign Management...
Re: Tools for seo?
Re: any info about them...
Huge Dedicated Server Disco...

HumanWorks Network
Technology news
Webmaster articles
Sublime web directory
RSS Feed directory and viewer

Readers

Web Design Gallery · Whois Lookup · Pagerank · Tag Browsing · Lo-fi version · Syndication · Webmaster forum history · Advertise
Developed by HumanWorks © 2005 - 2010 Webdigity webmaster community · sublime directory
Webdigity Webmaster Forums | Powered by SMF 1.0.12. © 2001-2005, Lewis Media. All Rights Reserved.