Very nice, I got it, thanks every one. Kind regards, Alans
-----Original Message----- From: Mark Elkins [mailto:m...@posix.co.za] Sent: Thursday, October 08, 2009 12:22 PM To: Alans Subject: Re: Our DNS is vulnerable --need help On Thu, 2009-10-08 at 11:15 +0300, Alans wrote: > Hi List, > > > > According to this site (tool) http://recursive.iana.org/ our DNS is > vulnerable (result is: Is recursive, with source port randomization)! > It’s an ISP’s DNS so yes, recursion is available. What can we do to > eliminate the risk? Restrict queries to your customers. (in /etc/named.conf) options { directory "/var/bind"; listen-on-v6 { any; }; allow-query { 127.0.0.1; 160.124.0.0/16; 2001:42a0::/32; 192.96.24.0/21; }; }; ie - my customers are on:- 160.124.0.0/16; - etc If you have a checker tool and you run it internally - it'll obviously still say you are 'open to recursion'. If this is also an authoritative nameserver (you host a domain or two) then... (named.conf) acl posix-cust { 160.124.0.0/16; 192.96.24.0/21; 127.0.0.1; 2001:42a0::/32; }; options { directory "/var/bind"; listen-on-v6 { any; }; allow-query { any; }; allow-recursion { posix-cust; }; }; Anyone can ask non-recursive questions - but only customers can ask recursive questions -- . . ___. .__ Posix Systems - Sth Africa /| /| / /__ m...@posix.co.za - Mark J Elkins, SCO ACE, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
