[SATLUG] open DNS Resolver

Samuel Leon satlug at net153.net
Mon Apr 13 16:05:28 CDT 2009


Leif Johnson wrote:
> 
> I've managed DNS for my school district for some time, but never 
> considered myself an expert. Now I have a complaint that I'm running an 
> "open DNS resolver" Can someone point me to a guide that can help me 
> secure this a bit?
> 
> A Quote from an email from theNET UT OTS (-my parent)
> "we are working with a number of large ISPs on a recent DNS amplifier 
> attack and the following systems are open DNS resolvers that appeared to 
> have been used in the attack:" (My 2 DNS IPs included)
> 
> [leif at amberjack ~]$ rpm -qa|grep bind
> bind-utils-9.2.5-3
> ypbind-1.17.2-3
> bind-libs-9.2.5-3
> bind-9.2.5-3
> bind-chroot-9.2.5-3
> 
> Sincerely,
> Leif Johnson
> (361) 749-1200 x. 316
> http://blog.paisd.net


In named.conf my last line is: include "/etc/bind/named.conf.local";

And in /etc/bind/named.conf.local I have:


options {
         directory "/var/cache/bind";
         auth-nxdomain no;    # conform to RFC1035
         //listen-on-v6 { any; };
         allow-recursion { 10.40.0.0/16; localhost; };
         allow-query { 10.40.0.0/16; localhost; };
         allow-transfer { none; };
         version "n/a";
};

That should disallow everything unless the ip matches which as you can 
see I have the local ip net.  These can be overridden in named.conf.  If 
you actually serve names to the internet, you will want to allow queries 
to those names in named.conf like this:

     zone "mywebserver.net" {
         type master;
         file "/etc/bind/db.mywebserver.net";
         allow-query { any; };
         allow-transfer { xxx.xxx.xxx.xxx };
     };

But I agree with what others have said, you need to buy the bind and dns 
book.  I stared at it for about 2 weeks before I even began to 
comprehend any of it...

Sam


More information about the SATLUG mailing list