• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Open DNS resolver in Plesk opens up for reflection attacks?

andreios

andreios

Regular Pleskian
I live in Germany and got an mail today from the "Bundesamt für Sicherheit in der Informationstechnik (BSI)" stating that my IP servers an open DNS resolver and I should fix this issue because this can be used for reflection attacks.
In named.conf I see this in the options section:

Code: 
options {
        allow-recursion {
                any;
        };
                listen-on-v6 { any; };
        version "none";
        directory "/var";
        auth-nxdomain no;
        pid-file "/var/run/named/named.pid";
};
Is allow-recusion for all addresses really needed?

And how do I modify the options section in the right way?
support.plesk.com

Plesk Help Center

support.plesk.com support.plesk.com
When I understand right according to this article I just have to add in options setting:
Code: 
hostname none;
And in this way I can override and set any options in the options section and it won't be removed by Plesk?

And what are the best settings to prevent reflection attacks?

My Bind Version:
BIND 9.16.1-Ubuntu (Stable Release)
Ubuntu 20.04.2 LTS
 
I found posts even from 2006 where this issue is already stated. But I couldn't find any official looking answer from Plesk for this.
How is it possible that Plesk has no interests in solving this issue for such a long period oft time?

named.conf / BIND configuration insecure by default

Hi, I think Plesk's named.conf config should be more secure !!! It doesn't close recursive DNS by default .. so BIND is running as an open-DNS server. This makes it very vulnerable to be used in DDOS attacks. So there should be a 'recursion no;' in named.conf's 'options' directive...
talk.plesk.com talk.plesk.com
 
You must log in or register to reply here.

Similar threads

tethis IT
Resolved Loads of messages "named[...]: network unreachable resolving '...': 2001:7fe::53#53"
Replies
2
Views
10K
Alban Staehli
A
H.W.B
Issue DNSSEC with Ubuntu Problems
Replies
6
Views
3K
Kaspar@Plesk
Kaspar@Plesk
F
Question AlmaLinux 9.1: bind configuration for slave dns
Replies
5
Views
2K
FYI
F
P
Issue Additional DNS Settings not working - no IPv6 Resolution
Replies
3
Views
3K
johnny_silverhand
J
S
Resolved DNS zones not transfered with specific settings
Replies
3
Views
2K
slishy
S
Back
Top