HPE Community
Operating System - HP-UX
1834665 Members
3033 Online
110069 Solutions
New Discussion

BIND 9.2----everyone using this DNS

 
SOLVED
Go to solution
Rgomes
Valued Contributor

‎10-20-2003 07:57 PM

‎10-20-2003 07:57 PM

BIND 9.2----everyone using this DNS

Hi All,

I have a DNS server( in the internet), ver is BIND 9.2.

I understand, anyone can use my DNS server for name resulation by pointing DNS setting in their OS( win98, winXP). How can I stop this behavior of my DNS server. I want only users from my network will use it.

Is this scenario ok, or anything else? Need your suggestions.

TIA,

Richard
0 Kudos
Reply
9 REPLIES 9
Tomek Gryszkiewicz
Trusted Contributor

‎10-20-2003 08:04 PM

‎10-20-2003 08:04 PM

Re: BIND 9.2----everyone using this DNS

Block incoming port 53 (UDP) on router

-Tomek
0 Kudos
Reply
Rgomes
Valued Contributor

‎10-20-2003 08:20 PM

‎10-20-2003 08:20 PM

Re: BIND 9.2----everyone using this DNS

Hi Tomek,

Thanks for your reply.

Won't it block all users name-resulation related querries by denying all incoming request on port 53 on router?

It is an ISP DNS.

Best regards,
Richard
0 Kudos
Reply
Tomek Gryszkiewicz
Trusted Contributor

‎10-20-2003 08:30 PM

‎10-20-2003 08:30 PM

Re: BIND 9.2----everyone using this DNS

Oh, if it is ISP, it should be opened.
BTW why to deny all the world to use your DNS?

-Tomek
0 Kudos
Reply
Rgomes
Valued Contributor

‎10-20-2003 08:45 PM

‎10-20-2003 08:45 PM

Re: BIND 9.2----everyone using this DNS

Hi Tomek,

I tried from my pc pointing another DNS server's IP, but I cannot resolve any host by that DNS!? I guess, that DNS server has some problem or allow hostsby IP addresses.

What I understand( or mis-understand), my DNS's port 53 should be open to all, and rest should be blocked.

Best regards,
Richard
0 Kudos
Reply
U.SivaKumar_2
Honored Contributor

‎10-20-2003 09:21 PM

‎10-20-2003 09:21 PM

Solution

Re: BIND 9.2----everyone using this DNS

Hi,

Let us assume that your Internal network address is 10.0.0.0/8.

Edit /etc/named.conf and put allow-recursion directive.

options {
directory "/var/named";
allow-recursion { 10.0.0.0/8; };
};

Restart named .

Now the Resolution of external domains will be only done for the clients having source IP address in your network viz 10.x.x.x

Anybody who try to use your DNS server for resolving external domains ( other than your own domain ) from Internet will not able to do that.

I recommend you to put this restriction for recursive lookup's , as sophisticated attacks like Birthday attack can be used to poison your DNS server's cache with false records.

regards,

U.SivaKumar





Innovations are made when conventions are broken
Reply
Rgomes
Valued Contributor

‎10-21-2003 05:15 AM

‎10-21-2003 05:15 AM

Re: BIND 9.2----everyone using this DNS

Hi Shivakumar,

In BIND 9.2 doc. I have seen ip_add_access list. Where does it differ between this two, I mean, access-list and recursive directive?

Thanks and best regards
Richard
0 Kudos
Reply
Rgomes
Valued Contributor

‎11-01-2003 09:00 PM

‎11-01-2003 09:00 PM

Re: BIND 9.2----everyone using this DNS

Hi SivaKumar,

The DNS server is up and running. As I like to restrict other users outside of this ISP network, so they won't able to use my DNS server. Now my named.conf file looks like this as per your suggestion:

--------------------------------------------
options {

check-names response fail; // do not change this

check-names slave warn;

directory "/etc/named.data";

query-source address * port 53; (note: I uncommented this. It was preceded by a # in original output)

version "not a chance!!";

allow-recursion { 203.112.192.0/20; 209.58.24.0/24: };



};



zone "db.my.net" {

type master;

file "db.mynet";

allow-transfer { none; };
--------------------------------------------

Does this configuration also restricts other Internet DNS servers( out of ISP network) to query our DNS server? As this DNS server is an ISP DNS server and connected to internet 24x7, what it should be?

Thanks in advance,
Richard


0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎11-02-2003 04:04 AM

‎11-02-2003 04:04 AM

Re: BIND 9.2----everyone using this DNS

A firewall controlls access from the Internet to your organization. Blocking port 53 on the Internet will not block your organization from doing DNS. It will block the public from doing lookups on your BIND server.

This is okay,unless you have an external webserver and this BIND machine is supposed to provide DNS services for it. If so, you can't shut port 53.

More on that: A firewall has the equivalent of two NIC cards. Mine is actually a Linux box with two cards. The firewall setttings for eth0 the external card are much more restrictive than for the internal network eth1. The Linux iptables firewall and most others let you distinguish between internal and external services.

Depending on what you put on your DNS server, the fact that everyone CAN use it is meaningless. Unless there is a record on the main Internic database pointing to it, nobody will need or want to use it.

I have a record in the database that points my 13 customers domain names to look at my server. Anyone else that wants can try, but those requests will get passed right back up toward teh root of the Internet.

By pounding my server will millions of requests, it is theoretically possible to do a denial of service attack on the web servers of my legitimate customers.

So, I have port 53 selectively blocked so that only valid requests can come through. If its not valid for my domains the request is ignored at very little cpu and band width cost.

I have details, but you'll need to refine your question for me to help any more.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Rgomes
Valued Contributor

‎11-02-2003 05:20 AM

‎11-02-2003 05:20 AM

Re: BIND 9.2----everyone using this DNS

Hi SEP,

Thanks for your reply. As I can see, you are giving so much valuable suggestions everyday on very different subject area, I must again thank you.

Whatever, I allow users of my ISP only to use my DNS server by 'allow-recursion' statement in named.conf file. This is ok and I tested it as 'user from another ISP', and it worked, my DNS server didn't allow me to browse.

Fine, now I want to be clear myself on one thing, I have a website www.mynet.com and it's record is in my DNS server. Suppose user2 from another ISP want to browse this page. Can he able to resolve this site www.mynet.com, as his ISP's DNS server does not have the record of www.mynet.com. Would user2's request go directly to Internic, or how this kind of request will be resolved? Will it conflict with 'allow-recursion' statement in named.conf file?
I know, this is very fundamental question, but I need to be clear of this thing.

Thanks a lot,
Richard
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.