1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Firewalled domain name server

Discussion in 'Plesk for Linux - 8.x and Older' started by Rocky@, May 5, 2005.

  1. Rocky@

    Rocky@ Guest

    Has anyone put the "domain name server" behind the firewall?

    It is one of the default option. I am not quite sure I want to try it before asking. How does it work? What's the benefit? What I know is that others won't be able to use my nameservers, but how would that not shutting down my site along with it?

  2. wjtech

    wjtech Guest

    Not sure if this is what you are looking for, but ...

    I have a secondary name server (bind) running behind a Linksys router attached to a cable modem. I port (53) forward to the internal IP address. Works fine.

  3. Rocky@

    Rocky@ Guest

    Sorry for not making it clear.

    I am talking about the firewall that comes with Plesk. I leave open only the commonly use ports and close all others in the Plesk Control Panel's firewall componant settings.

    I wonder if I should firewall the Domain Name Servers as well, and want to know the benefit of it.

  4. Terminal Junkie

    Terminal Junkie Guest

    Most likely not.

    Assuming you are not using an external (3rd party) DNS service, then firewalling the DNS server (i.e. port 53) will mean that any external systems (computers, servers, etc) will not be able to resolve domains on your server. Basically making your server accessible via IP address only. And, since virtual sites are determined by the URL request, none of them will be accessible (only the domains with fixed IPs will work).

    If you are using an external DNS (perhaps your hosting provider is taking care of it) then you might as well turn of the DNS services anyway. Why waste the resources?

    Quick way to figure it out... When you look up your domain at your registrar, what does it list as the name servers? If it is the IP(s) from your server, then you will need to leave port 53 accessible. If it is something else, then it is _likely_ your DNS is being taken care of by a third party.

    If you are really courageous (or you like living on the edge), you can try this... Turn on the firewall and see if all hell beaks loose... No web sites, no external email, nothing. If that is the case, you need leave your DNS accessible. Obviously you will need to have the IP address of the server handy cause that will be the only way you are going to be able to get back in to get at the firewall settings... :eek:

    Oh, and just to completely screw with you, some (all?) ISPs have caching DNS servers, so it is possible (nay, likely) that you may not see the effect until your domain entry expires from their name server cache, which could take 24 to 72 hours...

    NOT something you want to do on a production server. :p

    If you want to protect your DNS you have two options... Installing software that will detect various forms of DOS attacks and then automatically block the suspect IP. This will work against 'script-noobs' but will usually not protect you from a distributed DOS since it will come from many, many IPs (real or spoofed). Or, you can configure a real secondary DNS server that will be able to pick up the slack when the first one is down/unavailable.

    BTW, the 2nd IP on a same physical server is NOT a secondary name server, it is just an alias to the one and only one running on that server. If one of those IPs is being attacked, they will both stop responding. A real secondary DNS will be located on a different physical server, preferably on a different subnet segment.

    Not sure if that is what you were asking but hopefully it helps clarify,
    Terminal Junkie
  5. Rocky@

    Rocky@ Guest

    I will try after I find out how it really work, and why Plesk list it there. The server has not yet gone live; it is online, but no live sites yet. I guess I can afford to test it before then.

    Yap, I need to learn that secondary DNS thing.

    Also, I tried to install Snort Sam yesterday without success. Because the MySQL version that comes with the current Plesk is not up to date.

    Thanks for the help!