+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Development Area (/forum-1.html)
+--- Forum: Suggestions (/forum-2.html)
+--- Thread: Closing open DNS (/thread-521.html)
Pages: 1 2
Closing open DNS - mjk - 05-11-2007 11:57 AM
I have noticed that the default setup for bind under VHCS allows it to be used as an open dns.
I have only just discovered how bad this is (think open smtp relay). So it would be good if ispCP worked to prevent open dns.
RE: Closing open DNS - joximu - 05-11-2007 04:49 PM
is it also in ispcp?
RE: Closing open DNS - BioALIEN - 05-12-2007 12:12 AM
As joximu said, can you please confirm this is also the case with ispCP?
RE: Closing open DNS - mjk - 05-12-2007 05:53 AM
I have not installed ispCP yet as I am waiting on the stable release to install it and upgrade my vhcs installs.
dnsreport.com will report it. Perhaps someone that does ispCP installed could run the report?
RE: Closing open DNS - joximu - 05-12-2007 06:05 AM
open dns means: you can ask this server about domain names which he isn't responsible for.
This seems to be enabled in ispcp.
But should be only a little option in bind9
/Joximu
RE: Closing open DNS - ephigenie - 05-12-2007 06:16 AM
yeah this can be done via acl's
RE: Closing open DNS - raphael - 05-12-2007 06:35 AM
A simple
recursion no;
in the options {} section of the bind config file will do the trick
RE: Closing open DNS - ephigenie - 05-12-2007 06:56 AM
yeah but thats not a good idea - because then your local server is not able to answer queries to the server itself. (beyond the authoriative zones) But thats often a must because isp's dns server are sometimes quiet unreliable.
I'd recommend putting this into your named.conf.options
Code:
acl local {
127.0.0.1;
<your-ip>;
};
allow-recursion { local; };and use the isp/ providers dns as forwarders if needed.
RE: Closing open DNS - raphael - 05-12-2007 07:09 AM
I'm wondering what would happen if a server makes use of opendns...
RE: Closing open DNS - ephigenie - 05-12-2007 07:23 AM
yeah, i too - but that question can be left to the people at dnsreport.com - i cannot find something bad on that at all.