frame
Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Sign In RegisterHowdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Quick Links
Categories
- 496 All Categories
- 312 General
- 144 General Discussions
- 67 Feature Request/Bug Report
- 56 Sales Questions and Answers
- 16 Time4VPS Life
- 14 Help requests
- 16 Server management
- 220 Tutorials
- 51 Various Tutorials
- 40 Web hosting control panels
- 40 Performance and Security
- 25 Web Applications
- 44 Linux Applications
- 20 Windows VPS
Close an Open DNS
Justin
Member
The terms Open and Closed are now used to describe DNS servers in the following context:
• Open DNS - is a DNS that will accept recursive queries from external locations. Essentially anyone anywhere can use your DNS to handle recursive queries for genuine or malicious reasons;
• Closed DNS - is a DNS that will accept recursive queries only from an identified (and hopefully trusted) set of clients.
What used to be a friendly and neighborly action, an Open DNS, may now be - inadvertently - placing yourself and others at risk for three major reasons:
• DoS Attacks - by sending random domain queries to your DNS malicious users can cause your DNS to become extremely busy and clog up the Internet with useless traffic;
• DoS Amplification Attacks - by sending domain-specific queries the malicious users can cause your DNS to become part of (amplify the effect of) a wider DoS attack on a particular site;
• Cache Poisoning - by sending specific queries the malicious users can dictate or control the traffic that leaves your site and thus attempt to spoof responses with nasty and pernicious stuff.
Use as many of the techniques described here as are appropriate to your installation.
• Inhibit incoming DNS (port 53) queries for caching or forwarding only DNS servers using a firewall;
• If you run an authoritative only server you should already be preventing recursion by using the following line in a global options clause:
• BIND 9.4 introduced a new statement to allow-query-cache in an attempt to limit the number of, perhaps inadvertent, Open DNS resolvers. allow-query-cache defaults to the same values as allow-recursion. Be aware: It is permitted to define both allow-recursion and allow-query-cache statements. Avoid this like the plague. Use one or the other if you want to retain your sanity;
• Since BIND 9.4 in configurations where recursion is yes; is present or is defaulted and no limits are placed on recursion then allow-query-cache {localnets; localhost;}; is defaulted. The effect of this is to only permit recursive queries from the server's host (localhost) or any local LAN connected hosts (localnets);
• BIND 9.4 also introduced a new set of statements, allow-query-on, allow-recursion-on, allow-query-cache-on. In all cases, the -on statements allow a definition of the server interface and may greatly simplify the query limit definition in multi-homed servers.
• Open DNS - is a DNS that will accept recursive queries from external locations. Essentially anyone anywhere can use your DNS to handle recursive queries for genuine or malicious reasons;
• Closed DNS - is a DNS that will accept recursive queries only from an identified (and hopefully trusted) set of clients.
What used to be a friendly and neighborly action, an Open DNS, may now be - inadvertently - placing yourself and others at risk for three major reasons:
• DoS Attacks - by sending random domain queries to your DNS malicious users can cause your DNS to become extremely busy and clog up the Internet with useless traffic;
• DoS Amplification Attacks - by sending domain-specific queries the malicious users can cause your DNS to become part of (amplify the effect of) a wider DoS attack on a particular site;
• Cache Poisoning - by sending specific queries the malicious users can dictate or control the traffic that leaves your site and thus attempt to spoof responses with nasty and pernicious stuff.
Use as many of the techniques described here as are appropriate to your installation.
• Inhibit incoming DNS (port 53) queries for caching or forwarding only DNS servers using a firewall;
• If you run an authoritative only server you should already be preventing recursion by using the following line in a global options clause:
# inhibit all recursion
recursion no;• BIND 9.4 introduced a new statement to allow-query-cache in an attempt to limit the number of, perhaps inadvertent, Open DNS resolvers. allow-query-cache defaults to the same values as allow-recursion. Be aware: It is permitted to define both allow-recursion and allow-query-cache statements. Avoid this like the plague. Use one or the other if you want to retain your sanity;
• Since BIND 9.4 in configurations where recursion is yes; is present or is defaulted and no limits are placed on recursion then allow-query-cache {localnets; localhost;}; is defaulted. The effect of this is to only permit recursive queries from the server's host (localhost) or any local LAN connected hosts (localnets);
• BIND 9.4 also introduced a new set of statements, allow-query-on, allow-recursion-on, allow-query-cache-on. In all cases, the -on statements allow a definition of the server interface and may greatly simplify the query limit definition in multi-homed servers.
foot
Feel free to join our constantly expanding community, participate in discussions, strengthen your knowledge on Linux and Windows server management!
© 2013 - 2024 Time4VPS. All rights reserved.