24, July 2008

Securing - optimizing BIND - webmaster forum

 
Webdigity webmaster forums
This forum shares its ad revenue with its members!
[ Home | Help | Search | Forum's Shop | Archive | Login | Register | Webmaster Directory ]
Webdigity Webmaster Forums  >  Web Development  >  Security
Topic: Securing - optimizing BIND		 « previous next »
Pages: [1] Print

Author Topic: Securing - optimizing BIND  (Read 1034 times)
I am a metal monkey!
Administrator
Community Supporter ?
Jedai Sword Master
*****
Gender: Male
Posts: 7975
40807 credits
Members referred : 3
« on: Jun 24, 2007, 02:52:04 PM »
This post is regarding a low risk vulnerability in DNS servers called open DNS server. When a DNS server is open, means that it will serve DNS lookups for domains that do not exist in its own files. So for instance if your DNS server is open, it will give you a response for google.com and any other site that is not hosted in your box.

This is not actually a vulnerability, but when your DNS server is open, it can degrade performance of your DNS, and can cause your DNS servers to be used in an DOS attack.

So in order to close that you need to add this directive in your named.conf file in the options clause :

Code:
recursion no;

But wait a minute. This can cause a bigger problem. With no recursion your server wont be able to get DNS resolves so it wont be able to fetch data from the internet. So I guess this directive wont work well for most of the servers.

If that could be a problem to you, you can use this directive (instead of "recursion no") which will allow recursion to any ip range you want to.

Code:
allow-recursion {127.0.0.1; 192.168.0.1; };

Be sure to add a semicolon (Wink after each ip because BIND is very hard with directives and it wont work on any error Smiley

Hope you liked this small tutorial Smiley
« Last Edit: Jun 24, 2007, 02:53:39 PM by Nikolas »
Trial and Error my two best teachers Cool
Join us @ facebook Visit through proxy

Last blog : MIA - Where Nick and Tim
Novice Spammer
***
Posts: 103
552 credits
Members referred : 0
« Reply #1 on: Jul 01, 2007, 03:00:18 PM »
Nice article. I don't really understand why recursion no; isn't the standard option and you have to activate it if you really want your DNS to be open.

/Andreas
Global Moderator
Community Supporter ?
Jedai Sword Master
*****
Gender: Male
Posts: 6280
38506 credits
Members referred : 374


It's time to use PHP5!
« Reply #2 on: Jul 01, 2007, 10:34:53 PM »
is it possible to test if my server has some open DNS?
Free WordPress Themes Visit through proxy
CMS Reviews and Resources Visit through proxy
PHP Scripts Archive Visit through proxy

Last blog : 4th of July Lottery from TemplateMonster.com
Novice Spammer
***
Posts: 103
552 credits
Members referred : 0
« Reply #3 on: Jul 01, 2007, 10:55:42 PM »
At dnsstuff.com I got a warning about that for one of my NS, but that was before they started charging for access to their tools Sad You only get 10 tries after that you have to be a member.

/Andreas
Global Moderator
Community Supporter ?
Jedai Sword Master
*****
Gender: Male
Posts: 6280
38506 credits
Members referred : 374


It's time to use PHP5!
« Reply #4 on: Jul 01, 2007, 10:59:59 PM »
yes right (that suxxx). I used that test always until they changed that Sad

I guess there is some Linux command but which one? Smiley
Free WordPress Themes Visit through proxy
CMS Reviews and Resources Visit through proxy
PHP Scripts Archive Visit through proxy

Last blog : 4th of July Lottery from TemplateMonster.com
I am a metal monkey!
Administrator
Community Supporter ?
Jedai Sword Master
*****
Gender: Male
Posts: 7975
40807 credits
Members referred : 3
« Reply #5 on: Jul 02, 2007, 07:51:03 PM »
You can still check using dnsstuff. Check http://www.dnsstuff.com/tools/dnsreport.ch?domain=YOURDOMAIN_HERE Visit through proxy

Andreas, if you use recursion no, then the server wont be able to get dns records and download things from internet. For instance remote file_get_contents() and Curl will stop working.
Trial and Error my two best teachers Cool
Join us @ facebook Visit through proxy

Last blog : MIA - Where Nick and Tim
Global Moderator
Community Supporter ?
Jedai Sword Master
*****
Gender: Male
Posts: 6280
38506 credits
Members referred : 374


It's time to use PHP5!
« Reply #6 on: Jul 02, 2007, 10:36:42 PM »
thanks to this tutorial my open DNS server is closed now (thanks!)
Free WordPress Themes Visit through proxy
CMS Reviews and Resources Visit through proxy
PHP Scripts Archive Visit through proxy

Last blog : 4th of July Lottery from TemplateMonster.com
Trackback URI for this entry : http://www.webdigity.com/trackback.php?topic=6844
Tags : BIND security open DNS server Bookmark this thread : Digg Del.icio.us Dzone more....

Topic sponsors:
Get a permanent link here for $1.99!


Pages: [1] Print 
Webdigity Webmaster Forums  >  Web Development  >  Security
Topic: Securing - optimizing BIND		 « previous next »
Jump to:
User Area
Welcome, Guest. Please login or register.
Did you miss your activation email?
Jul 24, 2008, 09:51:20 PM





Login with username, password and session length

Donate to our community, and get a permanent link back to your site!

Donate to our community, and get a permanent link back to your site!


Forum Statistics
Total Posts: 35.717
Total Topics: 7.379
Total Members: 3.710
Tutorials : 56
Resources : 143
Designs : 220
Latest Member: prolist

49 Guests, 3 Users online :

10 users online today:

Recent topics
Re: Looking to Buy a Websit...
Your Thoughts on Forum SEO...
How To Mask URL?
Learning HTML+CSS
hi
Re: www.hiddenrate.com - ne...
Re: Yahoo Directory VS 8k D...
Re: Login with Example1.php...

HumanWorks Network
Technology news
Webmaster articles
Sublime web directory
RSS Feed directory and viewer

Readers

Web Design Gallery · Whois Lookup · Pagerank · Tag Browsing · Lo-fi version · Syndication · Webmaster forum history · Advertise
Developed by HumanWorks © 2005 - 2008 Webdigity webmaster community · sublime directory
Webdigity Webmaster Forums | Powered by SMF 1.0.12. © 2001-2005, Lewis Media. All Rights Reserved.