I received an ominous e-mail from my server host Thursday:
The DNS service(s) on your server are currently open to recursive queries from the world, leaving them vulnerable to DNS cache poisoning attacks and allowing them to be used to attack other sites. Your server was reported participating in an outbound DDoS attack through means of this vulnerability by an attacker. Please ensure that recursive lookups are DISABLED in yournameserver's configuration to prevent future abuse. If you need any assistance with this procedure, please let us know.
My name server was taking requests from any user for any domain, not just the ones it was configured to handle like cadenhead.org. When a request came in for a domain on another server, it was forwarded to another server, which could forward it further.
I didn't know that this open recursion let my server be used in a denial of service attack.
I closed the vulnerability by adding an acl section and a new allow-recursion setting inside the options section of the named.conf file:
acl internal {
67.19.3.218/29;
};
options {
allow-recursion {
internal;
};
};
The acl section refers to the machine hosting the name server, which allows programs on that machine to make recursive requests. All other clients should be blocked by this configuration.
While I was poking around, I took another blogger's suggestion to turn off zone transfers from my name server, except for one machine that functions as a backup name server:
allow-transfer {
67.19.86.58;
};