Open Resolver question - hopefully the right place - thanks!
I've received a notification from the support team that I need to "close" an Open Resolver.
This is beyond my knowledge level. I am not the person who originally set up this server (and he is deceased, so not available to ask about it). I'm not sure why it's suddenly an issue when I haven't made any changes and it's probably set up exactly the same way as it's been for the past number of years. But, they're saying I have to fix it within 72 hours. So I'm hoping I can receive some assistance to fix this without messing up anything else on my linode, which is running fine with no problems.
Here's the information I've been given:
> It has come to our attention that your Linode is running an open resolver. This is a concern for us because this configuration means your Linode could easily be used in a DNS amplification attack. We kindly ask that you investigate this matter and take appropriate action.
If you are running a resolver as part of your networking configuration, you'll likely want to adjust it so that only internal requests are accepted.
When I replied asking for assistance, I was told this:
> You will need to adjust your configuration appropriately. You can either disable the resolver you are running, or configure it to only respond to only respond to authorized computers.
It appears that you are running BIND -
=
$ dig @64.71.152.195 chaos txt version.bind +short
"9.2.4"
I'm comfortable going in to my linode files at root level via FTP and opening any file I need to, if I know exactly what I need to change and where to look for it.
I've used the remote access tool on the linode site as well, but I usually need a little bit more direction to make sure I know exactly what commands I need to enter to do something that way.
Thank you for any help.
15 Replies
Thank you for any more assistance… I've had some people on these forums be very helpful in breaking things down step by step for me in a couple of other instances over the years where I've had a problem I didn't know how to fix. I will really appreciate if there's anyone who can help me in that manner again.
In this case, it sounds like your server is answering queries for zones it is not authoritative for. Following #2 should fix this. The setting, 'recursion no;' should be added to the bind config file, typically '/etc/named.conf'
It should look something like:
@derfy:
If you're not sure why you need to run a DNS server, you probably shouldn't.
It's a regular web site with a couple of open source PHP applications such as a forum, a calendar, and some image galleries. I'm not sure if there's any advantage to running the DNS server either, but I don't want to take the chance of messing up something else by removing it outright when I'm not sure if it was there for a good reason.
> In this case, it sounds like your server is answering queries for zones it is not authoritative for. Following #2 should fix this. The setting, 'recursion no;' should be added to the bind config file, typically '/etc/named.conf'
It should look something like:
http://puu.sh/1oTf8 You may safely ignore the other options displayed; the option you want to change (or add, if not there) is the 'recursion' line.
This sounds like a set of instructions I should be able to follow. I actually have to leave for a class momentarily, and then go straight to work for a few hours. I don't want to try this when I'm in a hurry, so I will try and do it later tonight, and see if this takes care of the problem to satisfy the support ticket I received.
I very much appreciate the assistance, and I will post again later if it's all good or if I have any other questions, to beg further help.
Instead of 'recursion no;' add:
allow-recursion { localhost; };
However - I do not find the recursion setting/option in my etc/named.conf file.
Would it be appropriate for me to post the text of that file here?
It has a comment that it is "// a caching only nameserver config"
And there are references to a few different "zones," each of which appears to be one of the domains hosted on this Linode. Again - this is all beyond my knowledge of how the setup works. So if it would be helpful (and presumably not threatening to server security to share this information on the forum), I can post the contents of the file here for any further advice.
Thank you!
Just stop BIND, and if nothing breaks, leave it stopped.
There is rarely a need to run your own DNS server.
If you end up needing it, then you need to ADD the lines that prevent it from being an open-relay to it's config file and restart BIND to make the changes take effect.
What domains run on your host? That simple bit of info will allow others to check if you need your own Name server or not.
> What domains run on your host? That simple bit of info will allow others to check if you need your own Name server or not.
There are "zones" listed for:
Three of these no longer exist on the server:
Can I safely delete the lines pertaining to these sites that no longer exist on my host? For example:
> zone "ilan-herman.com" {
type master;
file "/var/named/ilan-herman.com.hosts";
};
****Two of these DO still exist on the server - so this is the answer to your recommendation to list the domains that run on my host.
> If you end up needing it, then you need to ADD the lines that prevent it from being an open-relay to it's config file and restart BIND to make the changes take effect.
Would this mean adding the line:
> allow-recursion { localhost; };
to the named.conf file? I thought that suggestion was telling me I would have to change a line already present. If it really means I need to add that line, that is helpful and I will try that.
And after doing so, would rebooting the server restart BIND as you mention? I don't know how to start or stop it independently.
Thank you!
If your ISP's provided DNs is unreliable, you could always use one of the common ones like these two:
http://www.opendns.com/opendns-ip-addresses
https://developers.google.com/speed/public-dns/docs/using
I personally won't use either of those:
Part of the reason I'm running a non-advertised, yet "open" DNS resolver is for people using the local ISP here (many people around town, friends, neighbors or otherwise don't like our ISP's DNS) … they run a DNS hijacking / advertising-revenue generating… whatever you call it, "service" (I don't have nice words for it)
Basically, I've stopped using google public DNS after my friend pointed out the trouble she was having with opendns… I tested google DNS, and the same thing happened ---> She pointed out that among other things, many DNS providers are censoring several websites for political reasons, and I put up an instance of unbound for us to use because our local ISP was flaky and sometimes redirected to advertisements whenever an address wasn't in cache or networking trouble caused delays, etc. (not just for typos)
@kuzetsa:
Oh, really? Are open revolvers are in some way frowned upon on linode's network / hosting?
More like frowned upon by the networking community in general. The moment an attacker discovers your open resolver, they can use it as a springboard for a variety of attacks, such as those noted in the link posted earlier by vonskippy. Even if it doesn't hurt your machine particularly, you can become part of a much larger attack. (I think Cloudflare recently posted about a 60+Gbps DNS amplification attack, for example)
That's not to say that a open resolver is, itself, a bad thing, but there are so many that are running unnecessarily that when combined they are a really powerful way to generate a large scale attack. The large public resolvers like Google's also put a lot of work into ameliorating attack possibilities as much as they can, whereas most individual resolvers tend to be default configurations that are perfectly happy to answer requests as fast as they can.
As such, just about anyone running their own resolver should have it locked down to just those clients it is intended to serve. There's really no need to accept queries from just anyone and a little googling will show how many headaches the large number of open resolvers currently running are causing providers, not to mention targets.
> Part of the reason I'm running a non-advertised, yet "open" DNS resolver is for people using the local ISP here (many people around town, friends, neighbors or otherwise don't like our ISP's DNS) … they run a DNS hijacking / advertising-revenue generating… whatever you call it, "service" (I don't have nice words for it)
You should then be filtering your resolver to only accept traffic from those who you wish to handle or be responsible for. Of course, that can be tricky if they're on dynamically changing addresses, but without that you're exposed. Since you're probably providing to largely your own local region, you should be able to have some prefixes that are being used by the providers whom you are offering to supplant for your friends and neighbors. At the very least just use broad net-blocks of the local ISPs and at least you'll only be open to your local region.
– David
@wynnesome:
Would this mean adding the line:
> allow-recursion { localhost; };
to the named.conf file? I thought that suggestion was telling me I would have to change a line already present. If it really means I need to add that line, that is helpful and I will try that.And after doing so, would rebooting the server restart BIND as you mention? I don't know how to start or stop it independently.
Thank you!
Yes, you need to add that line if there isn't already a line for "allow-recursion". It should go within the "options {" section, if you have one. If you don't have an options section you should add one to the top of the file. The whole thing should look something like this:
options {
...whatever you have here already, if anything...
allow-recursion { localhost; };
};
Rebooting the server would restart BIND.
I removed the "zones" for the domains no longer existing on my host.
I added the recursion line to the "options" section.
Here's what it looks like now:
> options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
/*
If there is a firewall between you and nameservers you want
to talk to, you might need to uncomment the query-source
directive below. Previous versions of BIND always asked
questions using port 53, but BIND 8.1 uses an unprivileged
port by default.
*/
// query-source address * port 53;
allow-recursion { localhost; };
};
Here's what it looked like before:
> options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
/*
If there is a firewall between you and nameservers you want
to talk to, you might need to uncomment the query-source
directive below. Previous versions of BIND always asked
questions using port 53, but BIND 8.1 uses an unprivileged
port by default.
*/
// query-source address * port 53;
};
So, the only difference being the one added line.
I rebooted my Linode. My sites seem to be running fine.
Has the Open Resolver issue been fixed? If so, I think everything is ok. If not, I will have to beg further troubleshooting help.
Thank you to everyone again.
; <<>> DiG 9.9.2 <<>> @64.71.152.195 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27653
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1
;; WARNING: recursion requested but not available
````
Looks good from here.
$ whois dm-gremlin.com
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: DM-GREMLIN.COM
[...]
Domain servers in listed order:
NS1.DM-GREMLIN.COM
NS2.DM-GREMLIN.COM
$ host ns1.dm-gremlin.com
ns1.dm-gremlin.com has address 64.71.152.195
$ host ns2.dm-gremlin.com
ns2.dm-gremlin.com has address 64.71.152.195
The two name servers designated for this domain are the same machine, which is a Bad Idea
I suggest doing the following:
1. Go into the Linode DNS manager
2. Add DNS recordsimport
3. Wait 15 minutes, then check that Linode's name servers are resolving your names properly. Try
dig www.dm-gremlin.com @ns1.linode.com
plus any other names your machine is known by in place of '
4. Go to your domainregistrars
5. Wait 24-48 hours, then check that everything is working with
dig www.dm-gremlin.com
The authority section should list ns1.linode.com, ns2.linode.com, etc., not ns1.dm-gremlin.com.
6. If all looks good, shut down bind on your machine and configure it not to start up again on reboot.
I'll look over the recommendations in:
RFC5358: Preventing Use of Recursive Nameservers in Reflector Attacks
If by the end of 2012, I still can't come up with a more elegant solution, might just restrict service to a whitelist-only basis… or some other suggestion from this thread.
… Will have to wait until later though, I'm going to bed for the night.