[SATLUG] open DNS Resolver

Bruce Dubbs bruce.dubbs at gmail.com
Mon Apr 13 14:01:13 CDT 2009


Leif Johnson wrote:
> 
> I've managed DNS for my school district for some time, but never 
> considered myself an expert. Now I have a complaint that I'm running an 
> "open DNS resolver" Can someone point me to a guide that can help me 
> secure this a bit?
> 
> A Quote from an email from theNET UT OTS (-my parent)
> "we are working with a number of large ISPs on a recent DNS amplifier 
> attack and the following systems are open DNS resolvers that appeared to 
> have been used in the attack:" (My 2 DNS IPs included)
> 
> [leif at amberjack ~]$ rpm -qa|grep bind
> bind-utils-9.2.5-3
> ypbind-1.17.2-3
> bind-libs-9.2.5-3
> bind-9.2.5-3
> bind-chroot-9.2.5-3

A DNS resolver is open if it provides recursive name resolution for clients 
outside of its administrative domain.

The fix is to use a split horizon DNS configuration.  The main configuration 
would look something like the fragment below.  Note the line:

allow-recursion { "internal"; };

Configuring DNS properly can be tricky.  I recommend getting the O'Reilly book 
on DNS and Bind.  It's something that needs to be studied.

http://oreilly.com/catalog/9780596100575/

   -- Bruce


acl "internal" { 172.21/16; 172.22/16; 172.23/16; 172.24/16; 127/8; };
acl "external-slaves"   { 1.2.3.4; };
acl "internal-slaves"   { 172.21.0.3; };

options
{
   directory "/";
   pid-file  "/var/run/named.pid";
   version   "Administratively withheld";
   allow-recursion { "internal"; };
   max-ncache-ttl 3600;
#  listen-on { 172.24.0.3; 127.0.0.1; };
   query-source address 172.24.0.3 port 53;
};

controls
{
   inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };
};

include "/etc/rndc.key";

view internal
{
   match-clients { "internal"; };
   allow-transfer { "internal-slaves"; };
   zone "myzone.edu" IN
   {
     type master;
     file "db.myzone.edu";
   };
...
};

view external
{
   match-clients { any; };
   allow-transfer { "external-slaves"; };
   zone "myzone.edu" IN
   {
     type master;
     file "db.myzone.edu.external";
   };
...
};


More information about the SATLUG mailing list