[SATLUG] Open Resolver

Samuel Leon satlug at net153.net
Wed May 6 08:05:17 CDT 2009


Leif Johnson wrote:
> 
> Can someone help me close my open DNS resolver?
> I have a ticket from OTS that I need to close.
> 
> /etc/named.conf: --snip--
> 
> logging { category lame-servers { null; }; };
> // generated by named-bootconf.pl
> acl "trusted" {
> 206.76.144.3;
> 206.77.62.130;
> 165.95.18.60;
> 206.76.144.46;
> 206.76.144.4;
> 10.250.1.0;
> 10.250.2.0;
> 10.250.3.0;
> 
> };
> 
> options {
>         directory "named";
>         /*
>          * If there is a firewall between you and nameservers you want
>          * to talk to, you might need to uncomment the query-source
>          * directive below.  Previous versions of BIND always asked
>          * questions using port 53, but BIND 8.1 uses an unprivileged
>          * port by default.
>          */
>         //query-source address * port 53;
> 
> version "not available";
> allow-recursion { trusted; };
> allow-notify { trusted; };
> allow-transfer { trusted; };
> 
> };
> 
> 
>  ---snip--
> 


To my knowledge, you need to set "allow-query".  So something like:

  version "not available";
  allow-recursion { trusted; };
  allow-query { trusted; };
  allow-notify { trusted; };
  allow-transfer { trusted; };


But that will disallow any ip other than what is listed in "trusted" 
from getting queries.  If you have any zones that you are hosting and 
you want the outside world to be able to resolve them then you need to 
allow queries from anywhere on them.  So to do that you need to add 
allow-query any to each zone:


     zone "mywebserver.net" {
         type master;
         file "/etc/bind/db.mywebserver.net";
         allow-query { any; };

     };

There are basically 2 kinds of queries in the DNS world.  Recursive and 
non recursive.  A recursive query will query other dns servers until it 
resolves the name.  A non recursive query will only query zone data and 
the entries that are already in the cache.  If that dns server has the 
entry in its cache or zone then it will return it.  If not, then it 
returns nothing.

http://devoracles.com/what-is-a-recursive-dns-query

Sam



More information about the SATLUG mailing list