  |
 DNSSTUFF Reports Open DNS Servers |
 Jan 29 2007, 06:29 PM
Post
#1
|
|
 Techie  Group: Members Posts: 227 Joined: 16-June 02 From: Minnesnowta Member No.: 2,739  |
I got the following results when testing my server:
"OPEN DNS SERVERS - ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address." It referred me to a page with tips but most of the tips were in regards to Windows servers. I am running Ensim Pro on a RHEL 4 box. I searched on here for help on this and couldn't find it. This is the test I ran: http://www.dnsstuff.com/tools/dnsreport.ch?domain=XXXXX.XXX Any help on this is appreciated. -------------------- Lew of Link Up
LinkUpHosting.Net LinkUpHosting.Com |
 |
 
|
|
Jan 29 2007, 07:01 PM
Post
#2
|
|
 SuperGeek Group: Members Posts: 1,237 Joined: 25-October 03 From: Clearwater, FL Member No.: 10,900 |
edit /etc/bind/options.conf.wp
options { directory "/var/named"; version "DNS"; allow-recursion { 127.0.0.1; xxx.xxx.xxx.xxx; xxx.xxx.xxx.xxx; }; listen-on { 127.0.0.1; xxx.xxx.xxx.xxx; xxx.xxx.xxx.xxx; }; } save your changes.... service named restart -------------------- Joseph Dobransky
Anti-spam Mail Gateways, Server Administration, CustomEnsimBackup, EnsimFixes.com AIM: CrankyCronos, Yahoo: skeeter1jd, ICQ: 21228143 |
|
|
|
|
Jan 29 2007, 07:24 PM
Post
#3
|
|
|
Techie Group: Members Posts: 227 Joined: 16-June 02 From: Minnesnowta Member No.: 2,739 |
Skeeter to the rescue...have you been Sainted yet
 I found this suggestion elsewhere: QUOTE 1) edit the file: /etc/bind/options.conf.wp Between options { };, add the following line: allow-recursion { address_match_list }; Example of address_match_list would be: 127.0.0.1; IP of your server; IP of your server; Last IP of your server; Seems your version has extra stuff in it. Perhaps more sophisticated to provide even better functionality. Should this be part of hardening? Does it apply to Ensim and cPanel boxes equally? Thanks a lot and nice to talk to you the other day! Lew -------------------- Lew of Link Up
LinkUpHosting.Net LinkUpHosting.Com |
|
|
|
|
Jan 29 2007, 07:30 PM
Post
#4
|
|
|
SuperGeek Group: Members Posts: 1,237 Joined: 25-October 03 From: Clearwater, FL Member No.: 10,900 |
It can apply to all bind configurations. Mine also removes the version numbers..and just answer it's bind...
-------------------- Joseph Dobransky
Anti-spam Mail Gateways, Server Administration, CustomEnsimBackup, EnsimFixes.com AIM: CrankyCronos, Yahoo: skeeter1jd, ICQ: 21228143 |
|
|
|
|
Jan 29 2007, 07:41 PM
Post
#5
|
|
|
Techie Group: Members Posts: 227 Joined: 16-June 02 From: Minnesnowta Member No.: 2,739 |
Ooops...I wrote a reply before you responded but didn't save it apparently.
It is my understanding you want to list all IP addresses on the server? NS, dedicated domains, SSL, etc? Thanks again! Lew -------------------- Lew of Link Up
LinkUpHosting.Net LinkUpHosting.Com |
|
|
|
|
Jan 29 2007, 08:14 PM
Post
#6
|
|
|
SuperGeek Group: Members Posts: 1,237 Joined: 25-October 03 From: Clearwater, FL Member No.: 10,900 |
No. Just the IP's associated with name servers.
-------------------- Joseph Dobransky
Anti-spam Mail Gateways, Server Administration, CustomEnsimBackup, EnsimFixes.com AIM: CrankyCronos, Yahoo: skeeter1jd, ICQ: 21228143 |
|
|
|
|
Jan 29 2007, 08:15 PM
Post
#7
|
|
|
Techie Group: Members Posts: 227 Joined: 16-June 02 From: Minnesnowta Member No.: 2,739 |
Awesome...that fixed the report's complaint about my server...now it only has some odds and ends warnings.
I checked my new cPanel server and it doesn't have that file at all..hmmm guess that means I need to create one. Thanks again Skeeter! Lew -------------------- Lew of Link Up
LinkUpHosting.Net LinkUpHosting.Com |
|
|
|
|
Jan 29 2007, 08:29 PM
Post
#8
|
|
|
Techie Group: Members Posts: 227 Joined: 16-June 02 From: Minnesnowta Member No.: 2,739 |
I also can't find a way to run the report on my second server as it is on the same domain, ie. server2 and server3
-------------------- Lew of Link Up
LinkUpHosting.Net LinkUpHosting.Com |
|
|
|
|
Jan 29 2007, 08:30 PM
Post
#9
|
|
|
Techie Group: Members Posts: 227 Joined: 16-June 02 From: Minnesnowta Member No.: 2,739 |
the second server has it's own NS, but it is in the same domain as the first server...ns1 and 2 on first server, ns3 and 4 on second server. but since that report only seems to work on the server containing the main domain name it can't seem able to test the second server.
-------------------- Lew of Link Up
LinkUpHosting.Net LinkUpHosting.Com |
|
|
|
|
| Lo-Fi Version | Time is now: 22nd November 2009 - 03:55 AM |
