DNS Report: FAIL: Open DNS servers

[CCHickman]

Unless something has changed with my configuration, DNS Report is now instituting an Open DNS server check and both of my PLESK servers are returning the following errors for all domains:

--

ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are:

Server 82.165.241.87 reports that it will do recursive lookups. [test]
Server 217.160.241.45 reports that it will do recursive lookups. [test]

--

Any suggestions?

 

[gddotts]

I noticed this same report today. However, turning DNS recursion off breaks Qmail. With recursion off qmail loses the ability to lookup domains for mail delivery even when query forwardering is enabled. I'm pretty DNS savy, but scratching my head on this one. Perhaps someone can enlighten us.

GDotts

 

[CCHickman]

I've heard the lame solution of using a different service for DNS -- however, that's just ridiculous as I have have two severs and PLESK -- I'm in a prime position to host my own DNS =)

 

[gddotts]

Originally posted by CCHickman
I've heard the lame solution of using a different service for DNS -- however, that's just ridiculous as I have have two severs and PLESK -- I'm in a prime position to host my own DNS =)

We're setup just the same, two servers (1 Plesk & 1 Corporate), both providing DNS services to our domains and hosted domains. Using a DNS service is a totally lame option. I'm sure this is just a configuration issue. I'll work on it some tonight and see what I can figure out.

GDotts

 

[Who-m3]

As outlined on http://www.dnsreport.com/info/opendns.htm,

Fixing BIND
Open named.conf with a text editor
Use a line "recursion yes;"
If you need to enable recursion for your local network, you can use a "allow-recursion { ADD_LIST_OF_YOUR_IP_RANGES_HERE; }" line.
[Use caution; BIND files are easy to break]
For complete hardening, see http://www.cymru.com/Documents/secure-bind-template.html.

Please note, this information was taken directly from the above link. I have not yet attempted this, and I do not intend to do so in the very near future. It'll be one of the many things I check on over the next few days, but may not modify for some time. Just thought I'd provide what they did so that those who wish to secure it can.

 

[CCHickman]

I'd suggest against doing this. It seemed that that would limit BIND to only provide DNS locally... I may be wrong, but I have no desire to experiment on a production server.

 

[Who-m3]

For recursive only, yes. For authoritive, no. Authoritive would still be public access. Recurisve would be limited to the ip(s) listed.

However, I strongly agree. I wouldn't do this on a production server to begin with. I plan on investigating and attempting on my test server prior to doing anything on my production servers. I, too, hesitate when it comes to my money...and if it breaks, it makes me loose money...so I understand, and fully agree, with your last statement.

 

[gddotts]

Originally posted by Who-m3
As outlined on http://www.dnsreport.com/info/opendns.htm,

Fixing BIND
Open named.conf with a text editor
Use a line "recursion yes;"
If you need to enable recursion for your local network, you can use a "allow-recursion { ADD_LIST_OF_YOUR_IP_RANGES_HERE; }" line.
[Use caution; BIND files are easy to break]
For complete hardening, see http://www.cymru.com/Documents/secure-bind-template.html.

Interestingly this doesn't solve the problem. The idea is to turn recursion off (recursion no). When set to recursion yes; (the default state) DNSReport still tags the server as an open server.

Thanks for providing the info and the link.

GDotts

 

[gorilla]

have a look at this tutorial regarding your issues
http://wiredgorilla.com/main/article302.html

 

[michaellunsford]

Thanks gorilla, works wonderfully.

 

[usbusi]

keep in mind

keep in mind, if you have your ISP's nameservers - i believe the general wisdom is to only use 2 of them in /etc/resolv.conf - in resolv.conf, you don't need to have 127.0.0.1 in /etc/resolv.conf.

so if you wanted to use recursion no - you can, as long as you have your ISPs nameservers in /etc/resolv.conf .

the original "lame idea to use other DNS services" might have been a misunderstanding i am thinking, where the original suggestion might have been the same as mine.

it would be interesting to try it both ways to see which way taxes the server less.

with recursion no - your nameservers will only dish up the DNS information for domains located on your plesk server. allowing recursion for 127.0.0.1 allows you to put 127.0.0.1 in /etc/resolv.conf, which again, might tax your system more or less than using your ISPs open nameservers in /etc/resolv.conf . you'd have to experiment and try it both ways to find out. using 127.0.0.1 would seem to be faster since you are using a local nameserver, but of course then you are querying your local nameserver rather than your ISPs nameserver and this can be more load on your server. while querying externally might have a different kind of load? perhaps someone knows the answer to this question in which case there would be no need to experiment.

 

[nickpick]

Important

One very important thing, if you do not want your nameservers to be open, and you still want to be able to use Qmail on the same box (and other stuff that uses DNS on that server)....

"recursion no;" shouldn't be in there !

It is used only if you want to disable recursion at all. And you don't want that from what I understand. You want that your customers can keep sending their mails, otherwise you will start loosing some money!

So, if you have Plesk on your box and you use Qmail and DNS, on the same box: Then do NOT use the "recursion no;"

Only set following in the "options" container:

allow-recursion {your-box-ip-used-for-DNS/24; 127.0.0.1/16;};

(Please fill in your IP in "your-box-ip-used-for-DNS"
For example it can look like this:
allow-recursion {123.124.125.126/24; 127.0.0.1/16;};

And please be sure your /etc/resolv.conf has 127.0.0.1 in its first line:

nameserver 127.0.0.1
nameserver 129.129.129.129
domain hostname.yourdomain.com

Don't forget to restart named after you edited named.conf

Little advice: copy named.conf to a safe location before you start editting it. You wouldn't be the first one to break things by corrupting his config files.

I realised that I had to edit my post with some important addition:

In Plesk 8 there is no need to manually edit your named.conf
Because in Plesk 8 you can very easily close your DNS with the control panel.
Click "Server" - "DNS" - "DNS Preferences" - Check "localnets" checkbox
Easy as it is !

If you are curious how this is done, then look into /etc/named.conf and remember what I wrote above.

 

[myplanet]

Hi All -

I have tried the suggestions below but still fail that portion of DNS Report. Can you please take a look at what I am doing below and let me know if I am missing something?

I am running Plesk 7.5

1. renamed named.conf to named.byjason.bak

2. opened named.conf and edited to...

options {
allow-recursion { 127.0.0.1; IP(primary); IP(second); };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};

3. Added 127.0.0.1 to top of resolv.conf

4. service named restart

Yet still these domains are failing the DNS Report with the error Open DNS Server.

 

[DRYALLS]

I have this issue too.

Did anybody ever work out what to do?

I have one domain on my server being the authoratative name server for other domains on my server. Nothing more complex than that.

 

[nickpick]

What is your exact Linux flavour? Redhat EL? Centos?
And what is the exact Plesk version (e.g. 7.5.4)
Can you post the contents of your resolv.conf?

 

[DRYALLS]

RHEL 3, PLESK 7.5 reloaded

/etc/resolv.conf [which I haven't touched', nor have I edited named.conf, I just wanted to see if the stuff posted here was the answer before I did anything] is:

nameserver=<myhostsns1>
nameserver=<myhostsns2>
#nameserver=<mylocaldomainns1>
#nameserver=<mylocaldomainns2>
#domain [mydomain.com]
#nameserver=<myhostsns1>

Note the comment tags? The <> contain IP addresses, the [] contain the domain that is the nameserver on my server.

Thanks for your reply.

 

[nickpick]

Your resolv.conf should have:

nameserver 127.0.0.1
nameserver <your primary dns ip here>
nameserver <your second dns ip here>
domain <your hostname here>

I use 127.0.0.1 as first, because if you host runs DNS there is no use to query others first. Just saves time and traffic.

your named.conf should have in the options section at least:

options {
allow-recursion { xxx.xx.xxx.xxx/24; 127.0.0.1/16; };

Your hostname IP shoud be in the xxx.xx.xxx.xxx


After restarting named, you should recheck at dnsstuff.com

 

[niceguy167]

i have a quick question about this. if i do this will the outsite world still be able to use the dns server to lookup stuff thats on this server. or will it block all pub communication to the server.

i am assuming no that it will just prevent people from putting this dns server as one of there own? can someone please confirm this?

Thanks

 

[nickpick]

This only counts for up to Plesk versions 7.5
In later versions you can arrange this from within the Plesk control panel.

Yes, your DNS will be closed. You better check it at www.dnsstuff.com (I am not affiliated, I just use them to check config of DNS).