Open DNS Server

Kevin Darcy kcd at daimlerchrysler.com
Fri Aug 11 21:24:41 UTC 2006


Jeffrey Stevens wrote:
> Had a customer report the failure below running http://www.dnsreport.com.  I am
> looking that this thinking the obvious answer to to turn off recursion on the
> authoritative server, but that would mean the customers other lookups might
> start failing. I am also thinking of recommending running one server as
> authoritative only and another as a caching server...but have I missed anything?
>
> FAIL  - Open DNS servers - ERROR: One or more of your nameservers
>                            reports that it is an open DNS server. This
>                            usually means that anyone in the world can
>                            query it for domains it is not authoritative
>                            for (it is possible that the DNS server
>                            advertises that it does recursive lookups
>                            when it does not, but that shouldn't
>                            happen). This can cause an
>                            excessive load on your DNS server. Also, it
>                            is strongly discouraged to
>                            have a DNS server be both authoritative for
>                            your domain and be recursive
>                            (even if it is not open), due to the
>                            potential for cache poisoning (with
>                            no recursion, there is no cache, and it is
>                            impossible to poison it).
>                            Also, the bad guys could use your DNS server
>                            as part of an attack, by forging their IP
>                            address. Problem record(s) are:
>                            Server 200.184.26.4 reports that it will do
>                            recursive lookups. [test]
>                            Server 200.184.103.230 reports that it will
>                            do recursive lookups. [test]
>   
If you want to save your client the expense of buying more servers, you 
could set up their current nameservers to have one "view" for their 
recursive clients, one for the rest of the world, and then turn off 
recursion only for the external-facing view. The downside of this is 
you/they have to come up with some maintainable way for their internal 
clients to resolve names from the same zones that they host to the 
Internet. This may boil down to having duplicate copies of those zones. 
But, how to keep them in sync?

A more simplistic approach is to use allow-recursion to permit only 
their own clients to recurse. The problem with that is that outsiders 
can still see what's in the cache (it doesn't require any recursion to 
return an answer from cache, so by default that's fair game), which 
means they could conceivably divine what sites your customer's users are 
visiting, and how frequently, which is arguably an information 
disclosure which could have security implications. In BIND 9.4.0 (not 
released yet), we'll have more fine-grained control over who can query 
data from cache (as opposed to from recursion or authoritative data), so 
in theory this should become less of an issue.

                                                                         
                     - Kevin



More information about the bind-users mailing list