topic Re: BIND 9.2----everyone using this DNS in Operating System - HP-UX

BIND 9.2----everyone using this DNS

Rgomes — Tue, 21 Oct 2003 02:57:05 GMT

Hi All,

I have a DNS server( in the internet), ver is BIND 9.2.

I understand, anyone can use my DNS server for name resulation by pointing DNS setting in their OS( win98, winXP). How can I stop this behavior of my DNS server. I want only users from my network will use it.

Is this scenario ok, or anything else? Need your suggestions.

TIA,

Richard

Re: BIND 9.2----everyone using this DNS

Tomek Gryszkiewicz — Tue, 21 Oct 2003 03:04:20 GMT

Block incoming port 53 (UDP) on router

-Tomek

Re: BIND 9.2----everyone using this DNS

Rgomes — Tue, 21 Oct 2003 03:20:11 GMT

Hi Tomek,

Thanks for your reply.

Won't it block all users name-resulation related querries by denying all incoming request on port 53 on router?

It is an ISP DNS.

Best regards,
Richard

Re: BIND 9.2----everyone using this DNS

Tomek Gryszkiewicz — Tue, 21 Oct 2003 03:30:08 GMT

Oh, if it is ISP, it should be opened.
BTW why to deny all the world to use your DNS?

-Tomek

Re: BIND 9.2----everyone using this DNS

Rgomes — Tue, 21 Oct 2003 03:45:32 GMT

Hi Tomek,

I tried from my pc pointing another DNS server's IP, but I cannot resolve any host by that DNS!? I guess, that DNS server has some problem or allow hostsby IP addresses.

What I understand( or mis-understand), my DNS's port 53 should be open to all, and rest should be blocked.

Best regards,
Richard

Re: BIND 9.2----everyone using this DNS

U.SivaKumar_2 — Tue, 21 Oct 2003 04:21:52 GMT

Hi,

Let us assume that your Internal network address is 10.0.0.0/8.

Edit /etc/named.conf and put allow-recursion directive.

options {
directory "/var/named";
allow-recursion { 10.0.0.0/8; };
};

Restart named .

Now the Resolution of external domains will be only done for the clients having source IP address in your network viz 10.x.x.x

Anybody who try to use your DNS server for resolving external domains ( other than your own domain ) from Internet will not able to do that.

I recommend you to put this restriction for recursive lookup's , as sophisticated attacks like Birthday attack can be used to poison your DNS server's cache with false records.

regards,

U.SivaKumar

Re: BIND 9.2----everyone using this DNS

Rgomes — Tue, 21 Oct 2003 12:15:17 GMT

Hi Shivakumar,

In BIND 9.2 doc. I have seen ip_add_access list. Where does it differ between this two, I mean, access-list and recursive directive?

Thanks and best regards
Richard

Re: BIND 9.2----everyone using this DNS

Rgomes — Sun, 02 Nov 2003 05:00:07 GMT

Hi SivaKumar,

The DNS server is up and running. As I like to restrict other users outside of this ISP network, so they won't able to use my DNS server. Now my named.conf file looks like this as per your suggestion:

--------------------------------------------
options {

check-names response fail; // do not change this

check-names slave warn;

directory "/etc/named.data";

query-source address * port 53; (note: I uncommented this. It was preceded by a # in original output)

version "not a chance!!";

allow-recursion { 203.112.192.0/20; 209.58.24.0/24: };

};

zone "db.my.net" {

type master;

file "db.mynet";

allow-transfer { none; };
--------------------------------------------

Does this configuration also restricts other Internet DNS servers( out of ISP network) to query our DNS server? As this DNS server is an ISP DNS server and connected to internet 24x7, what it should be?

Thanks in advance,
Richard

Re: BIND 9.2----everyone using this DNS

Steven E. Protter — Sun, 02 Nov 2003 12:04:56 GMT

A firewall controlls access from the Internet to your organization. Blocking port 53 on the Internet will not block your organization from doing DNS. It will block the public from doing lookups on your BIND server.

This is okay,unless you have an external webserver and this BIND machine is supposed to provide DNS services for it. If so, you can't shut port 53.

More on that: A firewall has the equivalent of two NIC cards. Mine is actually a Linux box with two cards. The firewall setttings for eth0 the external card are much more restrictive than for the internal network eth1. The Linux iptables firewall and most others let you distinguish between internal and external services.

Depending on what you put on your DNS server, the fact that everyone CAN use it is meaningless. Unless there is a record on the main Internic database pointing to it, nobody will need or want to use it.

I have a record in the database that points my 13 customers domain names to look at my server. Anyone else that wants can try, but those requests will get passed right back up toward teh root of the Internet.

By pounding my server will millions of requests, it is theoretically possible to do a denial of service attack on the web servers of my legitimate customers.

So, I have port 53 selectively blocked so that only valid requests can come through. If its not valid for my domains the request is ignored at very little cpu and band width cost.

I have details, but you'll need to refine your question for me to help any more.

SEP

Re: BIND 9.2----everyone using this DNS

Rgomes — Sun, 02 Nov 2003 13:20:03 GMT

Hi SEP,

Thanks for your reply. As I can see, you are giving so much valuable suggestions everyday on very different subject area, I must again thank you.

Whatever, I allow users of my ISP only to use my DNS server by 'allow-recursion' statement in named.conf file. This is ok and I tested it as 'user from another ISP', and it worked, my DNS server didn't allow me to browse.

Fine, now I want to be clear myself on one thing, I have a website www.mynet.com and it's record is in my DNS server. Suppose user2 from another ISP want to browse this page. Can he able to resolve this site www.mynet.com, as his ISP's DNS server does not have the record of www.mynet.com. Would user2's request go directly to Internic, or how this kind of request will be resolved? Will it conflict with 'allow-recursion' statement in named.conf file?
I know, this is very fundamental question, but I need to be clear of this thing.

Thanks a lot,
Richard