mas sobre dnsreport. Open Dns servers
Hola de nuevo, Sigo investigando el resultado que devuelve el dnsreport este y he visto que todos mis dominios aparecen con el siguiente fallo: *FAIL**Open DNS servers*ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are: Server 217.76.135.23 reports that it will do recursive lookups. [test http://www.dnsreport.com/tools/lookup.ch?domain=www.DNSstuff.com&server=217.76.135.23] Server 217.76.144.176 reports that it will do recursive lookups. [test http://www.dnsreport.com/tools/lookup.ch?domain=www.DNSstuff.com&server=217.76.144.176] See this page http://www.dnsreport.com/info/opendns.htm for info on closing open DNS servers. Este error es importante? y viendo como se corrige es modificando el named.conf, ¿eso se puede cambiar por zona o es global para todo el servidor de DNS? Si un DNS no permite peticiones recursivas como resuelve las peticiones a nombres de los que no es autorithative? Emi
2006/11/8, Emiliano Sutil
Hola de nuevo,
Sigo investigando el resultado que devuelve el dnsreport este y he visto que todos mis dominios aparecen con el siguiente fallo:
*FAIL**Open DNS servers*ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are:
Server 217.76.135.23 reports that it will do recursive lookups. [test http://www.dnsreport.com/tools/lookup.ch?domain=www.DNSstuff.com&server=217.76.135.23] Server 217.76.144.176 reports that it will do recursive lookups. [test http://www.dnsreport.com/tools/lookup.ch?domain=www.DNSstuff.com&server=217.76.144.176]
See this page http://www.dnsreport.com/info/opendns.htm for info on closing open DNS servers.
Este error es importante?
siii.. es importante !!!! IMHO, es como tener un proxy/relay abierto !!!! ademas, que otros pueden utilizar vuestra maquina para realizar ataques y/o aprovechar de los recursos de vuestra red utilizando vuestro DNS.
y viendo como se corrige es modificando el named.conf, ¿eso se puede cambiar por zona o es global para todo el servidor de DNS?
mmm.. por lo general es "global", pero puedes configurar el DNS con vistas (views) y aplicar "recursion on" a vuestra red y "recursion off" a todo el demas.
Si un DNS no permite peticiones recursivas como resuelve las peticiones a nombres de los que no es autorithative?
busca en la red por bind views, esto te aclarara las cosas. salu2 -- -- Victor Hugo dos Santos Linux Counter #224399
2006/11/8, Victor Hugo dos Santos:
mmm.. por lo general es "global", pero puedes configurar el DNS con vistas (views) y aplicar "recursion on" a vuestra red y "recursion off" a todo el demas.
En el enlace que puso Emiliano le dicen cómo solucionarlo en Bind: Fixing BIND - Open named.conf with a text editor - Use a line "recursion no;" in the "options" clause (or in the "view" clause) If you need to enable recursion for your local network, you can use a "allow-recursion { ADD_LIST_OF_YOUR_IP_RANGES_HERE; }" line in the "options" section. [Use caution; BIND files are easy to break] For complete hardening, see http://www.cymru.com/Documents/secure-bind-template.html. Saludos, -- Camaleón
Emiliano Sutil escribió:
Hola de nuevo,
Sigo investigando el resultado que devuelve el dnsreport este y he visto que todos mis dominios aparecen con el siguiente fallo:
*FAIL**Open DNS servers*ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are:
Server 217.76.135.23 reports that it will do recursive lookups. [test http://www.dnsreport.com/tools/lookup.ch?domain=www.DNSstuff.com&server=217.76.135.23]
Server 217.76.144.176 reports that it will do recursive lookups. [test http://www.dnsreport.com/tools/lookup.ch?domain=www.DNSstuff.com&server=217.76.144.176]
See this page http://www.dnsreport.com/info/opendns.htm for info on closing open DNS servers.
Este error es importante? y viendo como se corrige es modificando el named.conf, ¿eso se puede cambiar por zona o es global para todo el servidor de DNS? Si un DNS no permite peticiones recursivas como resuelve las peticiones a nombres de los que no es autorithative?
Emi
Hoy día, los DNS's de tu dominio no deberían ser recursivos, es decir, sólo deben resolver tu propio dominio. Por otro lado, los DNS's internos, los que utilizarían los usuarios de tu red, si deben serlo. Hay un par de libros de O'Reilly que son muy buenos. El "Cookbook" es muy práctico ya que trata temas como este de la recursividad.
participants (4)
-
Camaleón
-
Emiliano Sutil
-
Luis O.
-
Victor Hugo dos Santos