Fixing open DNS servers

Ok, there seems to be a *lot* of posts and threads about this issue and I think a simple page is appropriate.

Lets start with the problem. Check the report for your domain here: http://www.dnsreport.com/tools/dnsreport.ch?domain=YOUR_DOMAIN_HERE.COM

An open DNS server is one that replies to a query about a domain it is not responsible for, to anyone who asks for it, also known as recursion. For starters, that is just a waste of processing time, but it can be worse if it is used for flooding. See, since a DNS query is (much!) smaller in number of bytes than a DNS response, if it is spoofed it can be used to perform a DoS attack on a computer with several times the bandwidth of the perpretator.

So, lets solve it. First of all you need to find out where you named.conf file is. Ok, 99% of the time is in /etc/named.conf but trust me, even if you find one there, there is a chance that is no the one being used. Check the result of:

cat /etc/sysconfig/named

If it has a ROOTDIR entry, something like:

ROOTDIR=/var/named/chroot

then chances are it is going to be a different named.conf

If so, follow to that directory and look for the etc directory, ex:
cd /var/named/chroot/etc/

There should be a named.conf here. Make a backup of it, and the idea is to add some lines looking like this:

acl “trusted” {
127.0.0.1;
69.16.205.44;
69.16.205.45;
69.16.205.46;
69.16.205.47;
209.59.139.5;
209.59.139.6;
};

//
// named.conf for Red Hat caching-nameserver
//

options {
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;

//by skyhorse
version “SkyServers UltraDNS 2.0 *Beta”;
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };
allow-query { any; };

};

Now, the parts in bold are the ones you probably don’t have. The “acl” is the list of IP addresses that have access to the recursion option, this is very important otherwise other parts of your server will stop working, such as Exim. You should list *all* addresses that might need DNS recursion, such as *all* local IP’s and some more.

This script should output to you all the IP’s you probably need:

echo “acl \”trusted\” {“
echo “127.0.0.1;”
echo `/bin/hostname -i`\;
for i in `cat /etc/ips | cut -d “:” -f 1`
do
echo $i\;
done
for a in `cat /etc/resolv.conf | tr -s ” ” ” ” | cut -d ” ” -f2`
do
echo $a\;
done
echo “};”

(you can download it here)

A lot more can be said, if you need any additional details have a look at these threads:

http://forums.cpanel.net/showthread.php?t=50473

http://forums.cpanel.net/showthread.php?t=53064

http://forums.cpanel.net/showthread.php?p=217540

http://forums.cpanel.net/showthread.php?p=242467

Also:

Secure BIND Template

For additional information on how to secure your DNS server check CERT’s pdf at http://www.cert.org/archive/pdf/dns.pdf