Navigation

jeanjacquesjeanjacques · #1 6th March 2006, 23:42

Hello,

I'm a bit terrorized because i've just made a dns report on one of the domains hosted on my dns server and i received this warning: ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are:

Server xxx.xxx.xxx.xxx reports that it will do recursive lookups.

I understand that this is really bad but i really don't know how to debug and arrange this situation ?
Does it mean that my server had been hacked ?

Thank you for helping me.

lerra · #2 7th March 2006, 01:07

This means that your dns server is an openresolver and coud have been in use of a ddos attack against others by sending spoofed querys to u and your server woud send them to the attacker.

add this

allow-recursion {
localhost;
};

in the option part in named.conf

till · #3 7th March 2006, 07:41

Please add this line to /root/ispconfig/isp/conf/named.conf.master too, otherwise ISPConfig will remove the lines from your named.conf when you save the next DNS records.

jeanjacquesjeanjacques · #4 7th March 2006, 09:51

Hello,

Thank you very much for your help, it's ok now.
I would like to know if the cause of this open dns could be because of an error in creating the dns records of a new website hosted on my server ?
What kind of tools could i use to make an efficient rootkit detection on my debian server `? i've already used chkrootkit but i have the feeling that it's not enough, any advice ?

falko · #5 7th March 2006, 10:04

Quote:

Originally Posted by jeanjacquesjeanjacques

I would like to know if the cause of this open dns could be because of an error in creating the dns records of a new website hosted on my server ?

No, no error, it was simply because you didn't have those lines in your named.conf.

Quote:

Originally Posted by jeanjacquesjeanjacques

What kind of tools could i use to make an efficient rootkit detection on my debian server `? i've already used chkrootkit but i have the feeling that it's not enough, any advice ?

Take a look here:
http://www.howtoforge.com/faq/1_38_en.html

hairydog2 · #6 8th March 2006, 00:32

Quote:

Originally Posted by jeanjacquesjeanjacques

Does it mean that my server had been hacked ?

I don't think that this is from your server being hacked.

As far as I know, it is how ISPConfig always set up, but www.dnsreport.com has started to report on open DNS servers.

I may be wrong, but I don't think it is much to worry about. Just add the line to fix it.

Navigation

Facebook

News

Recent comments

Newsletter