Open Resolver question - hopefully the right place - thanks!

The support ticket I got about this mentioned networking, so hopefully this is the right forum area. If not, please let me know so I can post it more appropriately. Thank you for any help. Here's my question.

I've received a notification from the support team that I need to "close" an Open Resolver.

This is beyond my knowledge level. I am not the person who originally set up this server (and he is deceased, so not available to ask about it). I'm not sure why it's suddenly an issue when I haven't made any changes and it's probably set up exactly the same way as it's been for the past number of years. But, they're saying I have to fix it within 72 hours. So I'm hoping I can receive some assistance to fix this without messing up anything else on my linode, which is running fine with no problems.

Here's the information I've been given:
> It has come to our attention that your Linode is running an open resolver. This is a concern for us because this configuration means your Linode could easily be used in a DNS amplification attack. We kindly ask that you investigate this matter and take appropriate action.

If you are running a resolver as part of your networking configuration, you'll likely want to adjust it so that only internal requests are accepted.

When I replied asking for assistance, I was told this:
> You will need to adjust your configuration appropriately. You can either disable the resolver you are running, or configure it to only respond to only respond to authorized computers.

It appears that you are running BIND -

=

$ dig @64.71.152.195 chaos txt version.bind +short

"9.2.4"

I'm comfortable going in to my linode files at root level via FTP and opening any file I need to, if I know exactly what I need to change and where to look for it.

I've used the remote access tool on the linode site as well, but I usually need a little bit more direction to make sure I know exactly what commands I need to enter to do something that way.

Thank you for any help.

15 Replies

http://www.zytrax.com/books/dns/ch9/close.html

I appreciate the link, but I don't actually understand the information and instructions on that page. I don't know which of the cases listed apply, how to find out, or where and how to implement the solutions.

Thank you for any more assistance… I've had some people on these forums be very helpful in breaking things down step by step for me in a couple of other instances over the years where I've had a problem I didn't know how to fix. I will really appreciate if there's anyone who can help me in that manner again.

If you're not sure why you need to run a DNS server, you probably shouldn't. I imagine your former sysadmin set it up as he could admin it properly.

In this case, it sounds like your server is answering queries for zones it is not authoritative for. Following #2 should fix this. The setting, 'recursion no;' should be added to the bind config file, typically '/etc/named.conf'

It should look something like: http://puu.sh/1oTf8 You may safely ignore the other options displayed; the option you want to change (or add, if not there) is the 'recursion' line.

@derfy:

If you're not sure why you need to run a DNS server, you probably shouldn't.
It's a regular web site with a couple of open source PHP applications such as a forum, a calendar, and some image galleries. I'm not sure if there's any advantage to running the DNS server either, but I don't want to take the chance of messing up something else by removing it outright when I'm not sure if it was there for a good reason.

> In this case, it sounds like your server is answering queries for zones it is not authoritative for. Following #2 should fix this. The setting, 'recursion no;' should be added to the bind config file, typically '/etc/named.conf'

It should look something like: http://puu.sh/1oTf8 You may safely ignore the other options displayed; the option you want to change (or add, if not there) is the 'recursion' line.

This sounds like a set of instructions I should be able to follow. I actually have to leave for a class momentarily, and then go straight to work for a few hours. I don't want to try this when I'm in a hurry, so I will try and do it later tonight, and see if this takes care of the problem to satisfy the support ticket I received.

I very much appreciate the assistance, and I will post again later if it's all good or if I have any other questions, to beg further help.

I don't recommend disabling recursion entirely - it's possible that your Linode is configured to use itself as its recursive name server. Maybe it's not and disabling recursion is fine, but the more conservative course of action would be to simply restrict recursion to the local host.

Instead of 'recursion no;' add:

allow-recursion { localhost; };

I appreciate this advice, and it sounds like it might be nice to try this first.

However - I do not find the recursion setting/option in my etc/named.conf file.

Would it be appropriate for me to post the text of that file here?

It has a comment that it is "// a caching only nameserver config"

And there are references to a few different "zones," each of which appears to be one of the domains hosted on this Linode. Again - this is all beyond my knowledge of how the setup works. So if it would be helpful (and presumably not threatening to server security to share this information on the forum), I can post the contents of the file here for any further advice.

Thank you!

You're running out of time before LINODE will shut down your whole server for you.

Just stop BIND, and if nothing breaks, leave it stopped.

There is rarely a need to run your own DNS server.

If you end up needing it, then you need to ADD the lines that prevent it from being an open-relay to it's config file and restart BIND to make the changes take effect.

What domains run on your host? That simple bit of info will allow others to check if you need your own Name server or not.

> What domains run on your host? That simple bit of info will allow others to check if you need your own Name server or not.

There are "zones" listed for:

www.ilan-herman.com

www.digitalninjas.org

www.ipwn.eu

www.dm-gremlin.com

www.starkravenmusic.com

Three of these no longer exist on the server:

www.ilan-herman.com

www.digitalninjas.org

www.ipwn.eu

Can I safely delete the lines pertaining to these sites that no longer exist on my host? For example:
> zone "ilan-herman.com" {

type master;

file "/var/named/ilan-herman.com.hosts";

};

****Two of these DO still exist on the server - so this is the answer to your recommendation to list the domains that run on my host.

www.dm-gremlin.com

www.starkravenmusic.com****

> If you end up needing it, then you need to ADD the lines that prevent it from being an open-relay to it's config file and restart BIND to make the changes take effect.

Would this mean adding the line:
> allow-recursion { localhost; };
to the named.conf file? I thought that suggestion was telling me I would have to change a line already present. If it really means I need to add that line, that is helpful and I will try that.

And after doing so, would rebooting the server restart BIND as you mention? I don't know how to start or stop it independently.

Thank you!

Oh, really? Are open revolvers are in some way frowned upon on linode's network / hosting?

If your ISP's provided DNs is unreliable, you could always use one of the common ones like these two:

http://www.opendns.com/opendns-ip-addresses
https://developers.google.com/speed/public-dns/docs/using

I personally won't use either of those:

Part of the reason I'm running a non-advertised, yet "open" DNS resolver is for people using the local ISP here (many people around town, friends, neighbors or otherwise don't like our ISP's DNS) … they run a DNS hijacking / advertising-revenue generating… whatever you call it, "service" (I don't have nice words for it)

Basically, I've stopped using google public DNS after my friend pointed out the trouble she was having with opendns… I tested google DNS, and the same thing happened ---> She pointed out that among other things, many DNS providers are censoring several websites for political reasons, and I put up an instance of unbound for us to use because our local ISP was flaky and sometimes redirected to advertisements whenever an address wasn't in cache or networking trouble caused delays, etc. (not just for typos)

@kuzetsa:

Oh, really? Are open revolvers are in some way frowned upon on linode's network / hosting?
More like frowned upon by the networking community in general. The moment an attacker discovers your open resolver, they can use it as a springboard for a variety of attacks, such as those noted in the link posted earlier by vonskippy. Even if it doesn't hurt your machine particularly, you can become part of a much larger attack. (I think Cloudflare recently posted about a 60+Gbps DNS amplification attack, for example)

That's not to say that a open resolver is, itself, a bad thing, but there are so many that are running unnecessarily that when combined they are a really powerful way to generate a large scale attack. The large public resolvers like Google's also put a lot of work into ameliorating attack possibilities as much as they can, whereas most individual resolvers tend to be default configurations that are perfectly happy to answer requests as fast as they can.

As such, just about anyone running their own resolver should have it locked down to just those clients it is intended to serve. There's really no need to accept queries from just anyone and a little googling will show how many headaches the large number of open resolvers currently running are causing providers, not to mention targets.

> Part of the reason I'm running a non-advertised, yet "open" DNS resolver is for people using the local ISP here (many people around town, friends, neighbors or otherwise don't like our ISP's DNS) … they run a DNS hijacking / advertising-revenue generating… whatever you call it, "service" (I don't have nice words for it)
You should then be filtering your resolver to only accept traffic from those who you wish to handle or be responsible for. Of course, that can be tricky if they're on dynamically changing addresses, but without that you're exposed. Since you're probably providing to largely your own local region, you should be able to have some prefixes that are being used by the providers whom you are offering to supplant for your friends and neighbors. At the very least just use broad net-blocks of the local ISPs and at least you'll only be open to your local region.

– David

If 64.71.152.195 is your Linode's IP address, you need to keep running a name server, because that's the name server for dm-gremlin.com and starkravenmusic.com. You can safely remove the zone sections for the other domains, as in your example.

@wynnesome:

Would this mean adding the line:
> allow-recursion { localhost; };
to the named.conf file? I thought that suggestion was telling me I would have to change a line already present. If it really means I need to add that line, that is helpful and I will try that.

And after doing so, would rebooting the server restart BIND as you mention? I don't know how to start or stop it independently.

Thank you!

Yes, you need to add that line if there isn't already a line for "allow-recursion". It should go within the "options {" section, if you have one. If you don't have an options section you should add one to the top of the file. The whole thing should look something like this:

options {

   ...whatever you have here already, if anything...

   allow-recursion { localhost; };
};

Rebooting the server would restart BIND.

Based on everyone's advice, I've changed two areas of my named.conf file.

I removed the "zones" for the domains no longer existing on my host.

I added the recursion line to the "options" section.

Here's what it looks like now:
> options {

directory "/var/named";

dump-file "/var/named/data/cache_dump.db";

statistics-file "/var/named/data/named_stats.txt";

/*

  • If there is a firewall between you and nameservers you want

  • to talk to, you might need to uncomment the query-source

  • directive below. Previous versions of BIND always asked

  • questions using port 53, but BIND 8.1 uses an unprivileged

  • port by default.

*/

// query-source address * port 53;

allow-recursion { localhost; };

};

Here's what it looked like before:
> options {

directory "/var/named";

dump-file "/var/named/data/cache_dump.db";

statistics-file "/var/named/data/named_stats.txt";

/*

  • If there is a firewall between you and nameservers you want

  • to talk to, you might need to uncomment the query-source

  • directive below. Previous versions of BIND always asked

  • questions using port 53, but BIND 8.1 uses an unprivileged

  • port by default.

*/

// query-source address * port 53;

};

So, the only difference being the one added line.

I rebooted my Linode. My sites seem to be running fine.

Has the Open Resolver issue been fixed? If so, I think everything is ok. If not, I will have to beg further troubleshooting help.

Thank you to everyone again.

````
; <<>> DiG 9.9.2 <<>> @64.71.152.195 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27653
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1
;; WARNING: recursion requested but not available

````

Looks good from here.

There's still more to be done:

$ whois dm-gremlin.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Domain Name: DM-GREMLIN.COM

[...]

   Domain servers in listed order:
      NS1.DM-GREMLIN.COM
      NS2.DM-GREMLIN.COM

$ host ns1.dm-gremlin.com
ns1.dm-gremlin.com has address 64.71.152.195
$ host ns2.dm-gremlin.com
ns2.dm-gremlin.com has address 64.71.152.195

The two name servers designated for this domain are the same machine, which is a Bad Idea. The same thing is true for starkravenmusic.com.

I suggest doing the following:

1. Go into the Linode DNS manager and add domain zones for dm-gremlin.com and starkravenmusic.com.

2. Add DNS records for each name (e.g., www) that you need to resolve. You may be able to import these from your existing name server.

3. Wait 15 minutes, then check that Linode's name servers are resolving your names properly. Try

dig www.dm-gremlin.com @ns1.linode.com

plus any other names your machine is known by in place of 'www.dm-gremlin.com'. These should all resolve to 64.71.152.195.

4. Go to your domain registrars, and change your nameservers to ns1.linode.com, ns2.linode.com, ns3.linode.com, ns4.linode.com, and ns5.linode.com (it's OK if you can't enter all five in, as long as you have at least two).

5. Wait 24-48 hours, then check that everything is working with

dig www.dm-gremlin.com

The authority section should list ns1.linode.com, ns2.linode.com, etc., not ns1.dm-gremlin.com.

6. If all looks good, shut down bind on your machine and configure it not to start up again on reboot.

Thanks / noted…

I'll look over the recommendations in:

RFC5358: Preventing Use of Recursive Nameservers in Reflector Attacks

If by the end of 2012, I still can't come up with a more elegant solution, might just restrict service to a whitelist-only basis… or some other suggestion from this thread.

… Will have to wait until later though, I'm going to bed for the night.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct