Open DNS servers...

Jez · June 22nd, 2006, 7:19 AM

Anybody know how to close the DNS servers.. I tried:

Use a line "recursion no;" in the "options" clause (or in the "view" clause) in ect > named.conf

and then restarting BIND in WHM

so it looks like this...

Code:

options {

    directory "/var/named";
    dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
    /*
     * If there is a firewall between you and nameservers you want
     * to talk to, you might need to uncomment the query-source
     * directive below.  Previous versions of BIND always asked
     * questions using port 53, but BIND 8.1 uses an unprivileged
     * port by default.
     */
     // query-source address * port 53;
"recursion no;"

But it seems to not have worked...

Any ideas????

ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s)

www.DNSreport.com

**deastwood** · June 22nd, 2006, 3:34 PM

http://www.cymru.com/Documents/secur...-template.html

try the full version there

Jez · June 22nd, 2006, 6:15 PM

Quote:

Originally Posted by deastwood

http://www.cymru.com/Documents/secur...-template.html

try the full version there

That look way to much more me.

**deastwood** · June 22nd, 2006, 6:19 PM

if not have a look here, not sure if its what youve already done not got time to check,

http://www.webhostgear.com/index.php?art/id:321

hope that helps

**David** · June 23rd, 2006, 3:16 AM

^ it doesn't. I tried that one a few weeks ago and Bind crashed.

**deastwood** · June 23rd, 2006, 2:23 PM

oooh so glad i didnt try it then :P

sorry to not be able to answer ur question, might be worth moving it to dedicated forum more ppl might notice it

**David** · June 23rd, 2006, 4:08 PM

I didn't even notice that this wasn't in that forum already. Ususally when I answer questions, I just blitz the forum.

**Skipdawg** · June 23rd, 2006, 4:18 PM

If this is really a issue why dose Surpass it's self not take care of it across the board? If a server security risk it is their issue too!

Jez · June 23rd, 2006, 7:49 PM

Quote:

Originally Posted by Skipdawg

If this is really a issue why dose Surpass it's self not take care of it across the board? If a server security risk it is their issue too!

Some hosting companys have fixed this issue... I'm really not sre on the whole issue... Some people think it is no big deal while others seem to freak out over it. It's really up to the user of the servers... but if you have a web hosting business or sell a reseller acount it's best to have this fixed as costumers are going to be asking you about it and some well freak out cause dnsreport makes it sound like a really bad thing.

I'm reall not sure on my issue on this yet and was just wondering how to close it since I do resell some of the space. We'll all have to see what happens and how much this topic effects things in the long run. Just last year this was not even a issue or brought up at all.

Only time well tell. But ya I do recomened that surpass finds a way to auto close them cause with this new news out it might stear some customers away and this question is going to get asked a lot more down the road.

June 22nd, 2006, 7:19 AM	#1 (permalink)
Jez Registered User Seasoned Poster Joined in Jun 2006 Hosted on VPS7 81 posts Gave thanks: 0 Thanked 0 times	Open DNS servers... Anybody know how to close the DNS servers.. I tried: Use a line "recursion no;" in the "options" clause (or in the "view" clause) in ect > named.conf and then restarting BIND in WHM so it looks like this... Code: options { directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; /* * If there is a firewall between you and nameservers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked * questions using port 53, but BIND 8.1 uses an unprivileged * port by default. / // query-source address port 53; "recursion no;" But it seems to not have worked... Any ideas???? ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) www.DNSreport.com __________________ VPS7 http://destinyz.net http://riccistuff.info - Thee Christina Ricci Info Site http://grimpuppy.com/forums - Forums and Arcade For Horror and Fantasy Fans

June 23rd, 2006, 4:08 PM	#7 (permalink)
David says GIMME SOME MORE! Resident. Joined in Mar 2004 Lives in fear of Obama. Hosted on Pass 7 13,092 posts Gave thanks: 8 Thanked 34 times	I didn't even notice that this wasn't in that forum already. Ususally when I answer questions, I just blitz the forum. __________________

June 23rd, 2006, 4:18 PM	#8 (permalink)
Skipdawg Insanely Super #1 Joined in Jul 2005 Lives in Northwest USA 4,154 posts Gave thanks: 39 Thanked 78 times	If this is really a issue why dose Surpass it's self not take care of it across the board? If a server security risk it is their issue too! __________________

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

June 22nd, 2006, 3:34 PM	#2 (permalink)
deastwood Surpass Fan Super #1 Joined in Mar 2006 1,024 posts Gave thanks: 66 Thanked 55 times	http://www.cymru.com/Documents/secur...-template.html try the full version there

June 22nd, 2006, 6:19 PM	#4 (permalink)
deastwood Surpass Fan Super #1 Joined in Mar 2006 1,024 posts Gave thanks: 66 Thanked 55 times	if not have a look here, not sure if its what youve already done not got time to check, http://www.webhostgear.com/index.php?art/id:321 hope that helps

June 23rd, 2006, 3:16 AM	#5 (permalink)
David says GIMME SOME MORE! Resident. Joined in Mar 2004 Lives in fear of Obama. Hosted on Pass 7 13,092 posts Gave thanks: 8 Thanked 34 times	^ it doesn't. I tried that one a few weeks ago and Bind crashed.

June 23rd, 2006, 2:23 PM	#6 (permalink)
deastwood Surpass Fan Super #1 Joined in Mar 2006 1,024 posts Gave thanks: 66 Thanked 55 times	oooh so glad i didnt try it then :P sorry to not be able to answer ur question, might be worth moving it to dedicated forum more ppl might notice it

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)