Current time: 12-22-2024, 10:49 PM Hello There, Guest! (LoginRegister)


Post Reply 
Closing open DNS
Author Message
mjk Offline
Junior Member
*

Posts: 14
Joined: May 2007
Reputation: 0
Post: #11
RE: Closing open DNS
raphael Wrote:I'm wondering what would happen if a server makes use of opendns... Tongue

Think of it as you would a open mail relay. Its potentionaly very bad and can lead to your DNS server being blacklisted for SPAM that does not actually originate from your network. Cache poisioning is also a problem with opn dns.
05-12-2007 02:40 PM
Find all posts by this user Quote this message in a reply
mjk Offline
Junior Member
*

Posts: 14
Joined: May 2007
Reputation: 0
Post: #12
RE: Closing open DNS
ephigenie Wrote:yeah but thats not a good idea - because then your local server is not able to answer queries to the server itself. (beyond the authoriative zones) But thats often a must because isp's dns server are sometimes quiet unreliable.

I'd recommend putting this into your named.conf.options
Code:
acl local {
        127.0.0.1;
        <your-ip>;
        };

allow-recursion { local; };

and use the isp/ providers dns as forwarders if needed.

Bingo. If ispCP could include this type of setting by default, that would be awesome.
05-12-2007 02:41 PM
Find all posts by this user Quote this message in a reply
joximu Offline
helper
*****
Moderators

Posts: 7,024
Joined: Jan 2007
Reputation: 92
Post: #13
RE: Closing open DNS
Hi mjk

Can you describe us an example of cache poisening or the danger of open DNS in relation to Spam.
05-12-2007 05:34 PM
Visit this user's website Find all posts by this user Quote this message in a reply
raphael Offline
Member
***

Posts: 474
Joined: Apr 2007
Reputation: 8
Post: #14
RE: Closing open DNS
lol, I was talking about opendns.com
05-13-2007 02:09 AM
Visit this user's website Find all posts by this user Quote this message in a reply
raphael Offline
Member
***

Posts: 474
Joined: Apr 2007
Reputation: 8
Post: #15
RE: Closing open DNS
Answering my own question...
http://www.opendns.com/faq/#mail_server
http://www.opendns.com/start/forwarding.php
05-13-2007 02:13 AM
Visit this user's website Find all posts by this user Quote this message in a reply
ephigenie Offline
Project Leader
*******
Administrators

Posts: 1,578
Joined: Oct 2006
Reputation: 15
Post: #16
RE: Closing open DNS
In my very personal understanding i see no point to support opendns right away - (not on servers) but maybe i'm all alone with that feeling.

It looks to me like a "gimmick" nothing more.

The DNS - System is very important and everyone should careful take a look at which dns-servers are used as forwarders and which not.
05-13-2007 03:05 AM
Visit this user's website Find all posts by this user Quote this message in a reply
mjk Offline
Junior Member
*

Posts: 14
Joined: May 2007
Reputation: 0
Post: #17
RE: Closing open DNS
joximu Wrote:Hi mjk

Can you describe us an example of cache poisening or the danger of open DNS in relation to Spam.

http://www.webmasterworld.com/forum23/4488.htm

The above forum discussion is probably the best I have seen. The guys grom dnsreport.com also post in on the discussion.

Google provide an amazing amount of information.
05-13-2007 07:31 AM
Find all posts by this user Quote this message in a reply
joximu Offline
helper
*****
Moderators

Posts: 7,024
Joined: Jan 2007
Reputation: 92
Post: #18
RE: Closing open DNS
Ok, here's a description from dnsreport:

ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address.
05-13-2007 08:39 AM
Visit this user's website Find all posts by this user Quote this message in a reply
raphael Offline
Member
***

Posts: 474
Joined: Apr 2007
Reputation: 8
Post: #19
RE: Closing open DNS
ephigenie Wrote:In my very personal understanding i see no point to support opendns right away - (not on servers) but maybe i'm all alone with that feeling.

It looks to me like a "gimmick" nothing more.

The DNS - System is very important and everyone should careful take a look at which dns-servers are used as forwarders and which not.

as I said... just wondering Big Grin
05-13-2007 09:35 AM
Visit this user's website Find all posts by this user Quote this message in a reply
NetVista Offline
Newbie
*

Posts: 7
Joined: Oct 2006
Reputation: 1
Post: #20
RE: Closing open DNS
Usualy the only thing that is bad it's that it will eat up resources while trying to resolve other domains. You will find a lot of entries in the logs like this "Lame server tries to resolve IP". If you can live with that and the red spot on dnsreport then leave it alone. Else.. fix it like ephigenie wrote above.
06-07-2007 04:07 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)