I received an ominous e-mail from my server host Thursday:

The DNS service(s) on your server are currently open to recursive queries from the world, leaving them vulnerable to DNS cache poisoning attacks and allowing them to be used to attack other sites. Your server was reported participating in an outbound DDoS attack through means of this vulnerability by an attacker. Please ensure that recursive lookups are DISABLED in yournameserver's configuration to prevent future abuse. If you need any assistance with this procedure, please let us know.

My name server was taking requests from any user for any domain, not just the ones it was configured to handle like cadenhead.org. When a request came in for a domain on another server, it was forwarded to another server, which could forward it further.

I didn't know that this open recursion let my server be used in a denial of service attack.

I closed the vulnerability by adding an acl section and a new allow-recursion setting inside the options section of the named.conf file:

acl internal {
  67.19.3.218/29;
};

options {
  allow-recursion {
    internal;
  };
};

The acl section refers to the machine hosting the name server, which allows programs on that machine to make recursive requests. All other clients should be blocked by this configuration.

While I was poking around, I took another blogger's suggestion to turn off zone transfers from my name server, except for one machine that functions as a backup name server:

allow-transfer {
67.19.86.58;
};

-- Rogers Cadenhead

Comments

I will definately have to look into this on my servers, I can see this being a possible issue.


 

Good to know - Thanks


 

I got to do the same maybe this is it! thx for info!


 

thanks for code, we hat a dns-poisoning problem two weeks ago, started in the network, one day we were not able to fix the problem, next day everything works again. Now I`m afraid that problem will come up again, because we did not find the reason... Hope your Code can help us, I will forward it to my admin...


 

thx for posting, i once had a porblem with that DDos-attack. Now i feel more save. greetings tom sticker


 

I think this is an informative post and it is very useful and knowledgeable. therefore. I would like to thank you for the efforts you have made in writing this article.
Buy Spice Online


 

Excellent article. Very interesting to read. I really love to read such a nice article. Thanks! keep rocking.
unique


 

I think that thanks for the valuabe information and insights you have so provided here.
700


 

Wow i can say that this is another great article as expected of this blog.Bookmarked this site..
casino-kartenspiele


 

Excellent article. Very interesting to read. I really love to read such a nice article. Thanks! keep rocking.
casino-tischspiele


 

Superbly written article. if only all bloggers offered the same content as you. the internet would be a far better place..
2onlinecasinos


 

Nice to read your article! I am looking forward to sharing your adventures and experiences.
700


 

Excellent article. Very interesting to read. I really love to read such a nice article. Thanks! keep rocking.
007onlinecasino.net


 

The website is looking bit flashy and it catches the visitors eyes. Design is pretty simple and a good user friendly interface.
exercise trampoline


 

Wow i can say that this is another great article as expected of this blog.Bookmarked this site..
voyance gratuite


 

Excellent article. Very interesting to read. I really love to read such a nice article. Thanks! keep rocking.
exercise trampoline


 

The website is looking bit flashy and it catches the visitors eyes. Design is pretty simple and a good user friendly interface.
iloveonlinecasinos


 

This is my first time i visit here and I found so many interesting stuff in your blog especially it's discussion. thank you.
casino-automatenspiele


 

The website is looking bit flashy and it catches the visitors eyes. Design is pretty simple and a good user friendly interface.
onlinecasino24


 

Air Canada Customer Service


 

Excellent article. Very interesting to read. I really love to read such a nice article. Thanks! keep rocking.
onlinelottospielen


 

Add a Comment

These HTML tags are permitted: p, b, i, a, and blockquote. A comment may not include more than three links. Participants in this discussion should note the site's moderation policy.