+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Development Area (/forum-1.html)
+--- Forum: Suggestions (/forum-2.html)
+--- Thread: Closing open DNS (/thread-521.html)
Pages: 1 2
RE: Closing open DNS - mjk - 05-12-2007 02:40 PM
raphael Wrote:I'm wondering what would happen if a server makes use of opendns...
Think of it as you would a open mail relay. Its potentionaly very bad and can lead to your DNS server being blacklisted for SPAM that does not actually originate from your network. Cache poisioning is also a problem with opn dns.
RE: Closing open DNS - mjk - 05-12-2007 02:41 PM
ephigenie Wrote:yeah but thats not a good idea - because then your local server is not able to answer queries to the server itself. (beyond the authoriative zones) But thats often a must because isp's dns server are sometimes quiet unreliable.
I'd recommend putting this into your named.conf.options
Code:
acl local {
127.0.0.1;
<your-ip>;
};
allow-recursion { local; };
and use the isp/ providers dns as forwarders if needed.
Bingo. If ispCP could include this type of setting by default, that would be awesome.
RE: Closing open DNS - joximu - 05-12-2007 05:34 PM
Hi mjk
Can you describe us an example of cache poisening or the danger of open DNS in relation to Spam.
RE: Closing open DNS - raphael - 05-13-2007 02:09 AM
lol, I was talking about opendns.com
RE: Closing open DNS - raphael - 05-13-2007 02:13 AM
Answering my own question...
http://www.opendns.com/faq/#mail_server
http://www.opendns.com/start/forwarding.php
RE: Closing open DNS - ephigenie - 05-13-2007 03:05 AM
In my very personal understanding i see no point to support opendns right away - (not on servers) but maybe i'm all alone with that feeling.
It looks to me like a "gimmick" nothing more.
The DNS - System is very important and everyone should careful take a look at which dns-servers are used as forwarders and which not.
RE: Closing open DNS - mjk - 05-13-2007 07:31 AM
joximu Wrote:Hi mjk
Can you describe us an example of cache poisening or the danger of open DNS in relation to Spam.
http://www.webmasterworld.com/forum23/4488.htm
The above forum discussion is probably the best I have seen. The guys grom dnsreport.com also post in on the discussion.
Google provide an amazing amount of information.
RE: Closing open DNS - joximu - 05-13-2007 08:39 AM
Ok, here's a description from dnsreport:
ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address.
RE: Closing open DNS - raphael - 05-13-2007 09:35 AM
ephigenie Wrote:In my very personal understanding i see no point to support opendns right away - (not on servers) but maybe i'm all alone with that feeling.
It looks to me like a "gimmick" nothing more.
The DNS - System is very important and everyone should careful take a look at which dns-servers are used as forwarders and which not.
as I said... just wondering
RE: Closing open DNS - NetVista - 06-07-2007 04:07 AM
Usualy the only thing that is bad it's that it will eat up resources while trying to resolve other domains. You will find a lot of entries in the logs like this "Lame server tries to resolve IP". If you can live with that and the red spot on dnsreport then leave it alone. Else.. fix it like ephigenie wrote above.