HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=16)
-   -   Open DNS server (http://www.howtoforge.com/forums/showthread.php?t=2938)

jeanjacquesjeanjacques 6th March 2006 23:42

Open DNS server
 
Hello,

I'm a bit terrorized because i've just made a dns report on one of the domains hosted on my dns server and i received this warning: ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are:

Server xxx.xxx.xxx.xxx reports that it will do recursive lookups.

I understand that this is really bad but i really don't know how to debug and arrange this situation ?
Does it mean that my server had been hacked ?

Thank you for helping me.

lerra 7th March 2006 01:07

This means that your dns server is an openresolver and coud have been in use of a ddos attack against others by sending spoofed querys to u and your server woud send them to the attacker.

add this

allow-recursion {
localhost;
};

in the option part in named.conf

till 7th March 2006 07:41

Please add this line to /root/ispconfig/isp/conf/named.conf.master too, otherwise ISPConfig will remove the lines from your named.conf when you save the next DNS records.

jeanjacquesjeanjacques 7th March 2006 09:51

Many thanks
 
Hello,

Thank you very much for your help, it's ok now.
I would like to know if the cause of this open dns could be because of an error in creating the dns records of a new website hosted on my server ?
What kind of tools could i use to make an efficient rootkit detection on my debian server `? i've already used chkrootkit but i have the feeling that it's not enough, any advice ?

falko 7th March 2006 10:04

Quote:

Originally Posted by jeanjacquesjeanjacques
I would like to know if the cause of this open dns could be because of an error in creating the dns records of a new website hosted on my server ?

No, no error, it was simply because you didn't have those lines in your named.conf.

Quote:

Originally Posted by jeanjacquesjeanjacques
What kind of tools could i use to make an efficient rootkit detection on my debian server `? i've already used chkrootkit but i have the feeling that it's not enough, any advice ?

Take a look here:
http://www.howtoforge.com/faq/1_38_en.html

hairydog2 8th March 2006 00:32

Quote:

Originally Posted by jeanjacquesjeanjacques
Does it mean that my server had been hacked ?

I don't think that this is from your server being hacked.

As far as I know, it is how ISPConfig always set up, but www.dnsreport.com has started to report on open DNS servers.

I may be wrong, but I don't think it is much to worry about. Just add the line to fix it.


All times are GMT +2. The time now is 21:44.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.