• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved Open DNS resolver in Plesk opens up for reflection attacks?

andreios

andreios

Regular Pleskian
I live in Germany and got an mail today from the "Bundesamt für Sicherheit in der Informationstechnik (BSI)" stating that my IP servers an open DNS resolver and I should fix this issue because this can be used for reflection attacks.
In named.conf I see this in the options section:

Code: 
options {
        allow-recursion {
                any;
        };
                listen-on-v6 { any; };
        version "none";
        directory "/var";
        auth-nxdomain no;
        pid-file "/var/run/named/named.pid";
};
Is allow-recusion for all addresses really needed?

And how do I modify the options section in the right way?
support.plesk.com

Plesk Help Center

support.plesk.com support.plesk.com
When I understand right according to this article I just have to add in options setting:
Code: 
hostname none;
And in this way I can override and set any options in the options section and it won't be removed by Plesk?

And what are the best settings to prevent reflection attacks?

My Bind Version:
BIND 9.16.1-Ubuntu (Stable Release)
Ubuntu 20.04.2 LTS
 
I found posts even from 2006 where this issue is already stated. But I couldn't find any official looking answer from Plesk for this.
How is it possible that Plesk has no interests in solving this issue for such a long period oft time?

named.conf / BIND configuration insecure by default

Hi, I think Plesk's named.conf config should be more secure !!! It doesn't close recursive DNS by default .. so BIND is running as an open-DNS server. This makes it very vulnerable to be used in DDOS attacks. So there should be a 'recursion no;' in named.conf's 'options' directive...
talk.plesk.com talk.plesk.com
 
You must log in or register to reply here.

Similar threads

tethis IT
Resolved Loads of messages "named[...]: network unreachable resolving '...': 2001:7fe::53#53"
Replies
2
Views
13K
Alban Staehli
A
H.W.B
Issue DNSSEC with Ubuntu Problems
Replies
6
Views
3K
Kaspar@Plesk
Kaspar@Plesk
F
Question AlmaLinux 9.1: bind configuration for slave dns
Replies
5
Views
3K
FYI
F
P
Issue Additional DNS Settings not working - no IPv6 Resolution
Replies
3
Views
3K
johnny_silverhand
J
C
Question VM with Plesk and Ubuntu: Ubuntu Upgrade 22.04-LTS to 24.04-LTS fails
Replies
3
Views
1K
chris-taylor
C
Back
Top