[SATLUG] Open Resolver

Leif Johnson leif at paisd.net
Wed May 6 08:26:26 CDT 2009


Thanks:

I added "allow-query" in both places as you suggested.

Bind will start but the message lof shows numerous lines about:
client 206.76.144.4#33602 query (cache) denied
client 206.76.144.29#33602 query (cache) denied
client 10.250.1.231#34982 query (cache) denied
client 206.76.144.4#32126 query (cache) denied
client 206.76.144.4#36671 query (cache) denied

I'm getting closer. I think.

On Wed, 6 May 2009, Samuel Leon wrote:

> Leif Johnson wrote:
>> 
>> Can someone help me close my open DNS resolver?
>> I have a ticket from OTS that I need to close.
>> 
>> /etc/named.conf: --snip--
>> 
>> logging { category lame-servers { null; }; };
>> // generated by named-bootconf.pl
>> acl "trusted" {
>> 206.76.144.3;
>> 206.77.62.130;
>> 165.95.18.60;
>> 206.76.144.46;
>> 206.76.144.4;
>> 10.250.1.0;
>> 10.250.2.0;
>> 10.250.3.0;
>> 
>> };
>> 
>> options {
>>         directory "named";
>>         /*
>>          * If there is a firewall between you and nameservers you want
>>          * to talk to, you might need to uncomment the query-source
>>          * directive below.  Previous versions of BIND always asked
>>          * questions using port 53, but BIND 8.1 uses an unprivileged
>>          * port by default.
>>          */
>>         //query-source address * port 53;
>> 
>> version "not available";
>> allow-recursion { trusted; };
>> allow-notify { trusted; };
>> allow-transfer { trusted; };
>> 
>> };
>> 
>>
>>  ---snip--
>> 
>
>
> To my knowledge, you need to set "allow-query".  So something like:
>
> version "not available";
> allow-recursion { trusted; };
> allow-query { trusted; };
> allow-notify { trusted; };
> allow-transfer { trusted; };
>
>
> But that will disallow any ip other than what is listed in "trusted" from 
> getting queries.  If you have any zones that you are hosting and you want the 
> outside world to be able to resolve them then you need to allow queries from 
> anywhere on them.  So to do that you need to add allow-query any to each 
> zone:
>
>
>    zone "mywebserver.net" {
>        type master;
>        file "/etc/bind/db.mywebserver.net";
>        allow-query { any; };
>
>    };
>
> There are basically 2 kinds of queries in the DNS world.  Recursive and non 
> recursive.  A recursive query will query other dns servers until it resolves 
> the name.  A non recursive query will only query zone data and the entries 
> that are already in the cache.  If that dns server has the entry in its cache 
> or zone then it will return it.  If not, then it returns nothing.
>
> http://devoracles.com/what-is-a-recursive-dns-query
>
> Sam
>
>

-- 
Sincerely,
Leif Johnson
(361) 749-1200 x. 316
http://blog.paisd.net


More information about the SATLUG mailing list