Open DNS Server

MikeDawg mikedawg at gmail.com
Fri Aug 11 19:54:02 UTC 2006 

Jeffrey Stevens wrote:
> Had a customer report the failure below running http://www.dnsreport.com.  I am
> looking that this thinking the obvious answer to to turn off recursion on the
> authoritative server, but that would mean the customers other lookups might
> start failing. I am also thinking of recommending running one server as
> authoritative only and another as a caching server...but have I missed anything?
>
> FAIL  - Open DNS servers - ERROR: One or more of your nameservers
>                            reports that it is an open DNS server. This
>                            usually means that anyone in the world can
>                            query it for domains it is not authoritative
>                            for (it is possible that the DNS server
>                            advertises that it does recursive lookups
>                            when it does not, but that shouldn't
>                            happen). This can cause an
>                            excessive load on your DNS server. Also, it
>                            is strongly discouraged to
>                            have a DNS server be both authoritative for
>                            your domain and be recursive
>                            (even if it is not open), due to the
>                            potential for cache poisoning (with
>                            no recursion, there is no cache, and it is
>                            impossible to poison it).
>                            Also, the bad guys could use your DNS server
>                            as part of an attack, by forging their IP
>                            address. Problem record(s) are:
>                            Server 200.184.26.4 reports that it will do
>                            recursive lookups. [test]
>                            Server 200.184.103.230 reports that it will
>                            do recursive lookups. [test]
> --
> Jeffrey Stevens
> gpg --keyserver pgp.mit.edu --recv-keys D2E5A4E8
> Key fingerprint: 1C86 8717 E485 FA4D B9EF 96E2 A1AC 4B00 D2E5 A4E8

I think it is always a good idea that if you have an external facing
dns server that you disable recursive lookups on it.  I don't know what
sort of situation you're in, but I would normally recommend two
different servers, one for the internal network (read: not externally
accessible), and one for the external network (read: internet
accessible).  However, depending on your situation, if you only have
one server to dedicate for this, you can set it so that it only allows
recursive lookups for internal IP addresses:

      allow-recursion { 127.0.0.1; 192.168.0.0/24; };

in the options section of your bind config.

More information about the bind-users mailing list