Fli
07-22-2014, 09:40 PM
I got an report from datacenter that "You appear to be running an open recursive resolver at MYSERVERIP"
so this is bad, because it can be used to ampliffy denial of service attack and some other things.
How to disable this? i got some hint to disable incoming connection to the 53 UDP port (named/bind), so one just use iptables generator to generate rule like:
iptables -A INPUT -m udp -p udp --sport 53 -j DROP
after i executed it and then iptables-save command, http://openresolver.com/ still tells me:
Open recursive resolver detected on myserverip
IP address myserverip is vulnerable to DNS Amplification attacks.
Another idea was to edit named/bind configuration file.
I found "named.caching-nameserver.conf" in /etc directory and i was told i can add:
allow-recursion {“none”;};
recursion no;
into
options {
}
section in that file
... or just add:
allow-recursion {127.0.0.1;};
In my case it worked when i added red highlighted line into /etc/named.caching-nameserver.conf file (your named/bind conf file can be named other way):
view localhost_resolver { match-clients { localhost; };
match-destinations { localhost; };
recursion yes;
allow-recursion {127.0.0.1;};
include "/etc/named.rfc1912.zones";
};
then no named restart was needed and http://openresolver.com/ started detecting this:
Recursive resolver is not detected on myserveriphere
IP address myserveriphere is not vulnerable to DNS Amplification attacks.
The list of open DNS resolver checkers:
http://openresolver.com/
http://security.zensupport.co.uk/
http://openresolverproject.org/
http://dns.measurement-factory.com/cgi-bin/openresolvercheck.pl/
dig +short amiopen.openresolvers.org TXT
Anyone please have ideas on how to solve this issue?
so this is bad, because it can be used to ampliffy denial of service attack and some other things.
How to disable this? i got some hint to disable incoming connection to the 53 UDP port (named/bind), so one just use iptables generator to generate rule like:
iptables -A INPUT -m udp -p udp --sport 53 -j DROP
after i executed it and then iptables-save command, http://openresolver.com/ still tells me:
Open recursive resolver detected on myserverip
IP address myserverip is vulnerable to DNS Amplification attacks.
Another idea was to edit named/bind configuration file.
I found "named.caching-nameserver.conf" in /etc directory and i was told i can add:
allow-recursion {“none”;};
recursion no;
into
options {
}
section in that file
... or just add:
allow-recursion {127.0.0.1;};
In my case it worked when i added red highlighted line into /etc/named.caching-nameserver.conf file (your named/bind conf file can be named other way):
view localhost_resolver { match-clients { localhost; };
match-destinations { localhost; };
recursion yes;
allow-recursion {127.0.0.1;};
include "/etc/named.rfc1912.zones";
};
then no named restart was needed and http://openresolver.com/ started detecting this:
Recursive resolver is not detected on myserveriphere
IP address myserveriphere is not vulnerable to DNS Amplification attacks.
The list of open DNS resolver checkers:
http://openresolver.com/
http://security.zensupport.co.uk/
http://openresolverproject.org/
http://dns.measurement-factory.com/cgi-bin/openresolvercheck.pl/
dig +short amiopen.openresolvers.org TXT
Anyone please have ideas on how to solve this issue?