Securing DNS server

Discussion in 'Tips/Tricks/Mods' started by androme, Jun 3, 2007.

  1. androme

    androme New Member

    Securing and standardize DNS server

    Open DNS servers

    By default DNS Server is opened.
    "Open DNS servers increase the chances that of cache poisoning, can degrade performance of your DNS, and can cause your DNS servers to be used in an attack (so it is good that your DNS servers do not appear to be open DNS servers)."
    http://www.dnsreport.com/

    So we have to edit "/root/ispconfig/isp/conf/named.conf.master" and add in options section :
    Code:
     allow-recursion {
            localhost;
            };
    Before :
    Code:
    options {
            pid-file "/var/run/bind/run/named.pid";
            directory "{BINDDIR}";
            auth-nxdomain no;
            /*
             * If there is a firewall between you and nameservers you want
             * to talk to, you might need to uncomment the query-source
             * directive below.  Previous versions of BIND always asked
             * questions using port 53, but BIND 8.1 uses an unprivileged
             * port by default.
             */
            // query-source address * port 53;
    };
    and after :
    Code:
    options {
            pid-file "/var/run/bind/run/named.pid";
            directory "{BINDDIR}";
            auth-nxdomain no;
            allow-recursion {
            localhost;
            };
            /*
             * If there is a firewall between you and nameservers you want
             * to talk to, you might need to uncomment the query-source
             * directive below.  Previous versions of BIND always asked
             * questions using port 53, but BIND 8.1 uses an unprivileged
             * port by default.
             */
            // query-source address * port 53;
    };
    then do a :
    Code:
    cp /root/ispconfig/isp/conf/named.conf.master /root/ispconfig/isp/conf/customized_templates/
    
    I'm working on others DNS server issues, i'll put them here when i'll solve them.
     
    Last edited: Jun 8, 2007
  2. mccharlet

    mccharlet Member HowtoForge Supporter

  3. edge

    edge Active Member Moderator

    It's (maybe) better to use
    Code:
     allow-recursion {
            localhost;
            };
    This way the server itself can still access it.
     
  4. androme

    androme New Member

    Ok i have modified the how to, thank you :)
     
  5. the_spy

    the_spy New Member

    you are in the ispconfig section here, and your modification is not exactly applicable like this since ispconfig regenerate the named.conf file each time a domain name is added.

    in fact the template of named.conf need to be modified:
    /root/ispconfig/isp/conf/named.conf.master
    and the new named.conf.master copied to /root/ispconfig/isp/conf/customized_templates after the modification.
     
  6. androme

    androme New Member

    So may be this has to be included in the next version of ISPConfig ?
     
  7. edge

    edge Active Member Moderator

    Some people like to share the DNS with other people (like me)
    You could add the IP's of the users to the "allow-recursion", but some of my users do not have static IP's.

    What you are asking (and your "fix") has been discussed on this forum allready several times.
     
    Last edited: Jun 4, 2007
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    No, we do not plan to change this. As edge mentined, this has beed discussed already several times in the forum.

    No, it does not mean that everybody can add his own dns entrys on your server. It just means that others may use your server to resolve names and not to add zones.
     
  9. Uno

    Uno Member

    I have used this howto
    it work, test on dnsreport is ok.... thank, but when I modify something from ispconfig, on dns, for example add new website, the row with
    allow-recursion {
    localhost;
    };


    it disappears, is possible remedy?
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    The howto is not complete as it did not add the patch to the master template. You will have to patch the file /root/ispconfig/isp/conf/named.conf.master too.
     
  11. androme

    androme New Member


    Yes look at this :
     
  12. TexasTaz

    TexasTaz New Member

    Re: Securing the DNS Server

    Hey Everyone,

    I have a question I just did all those steps mentioned yet when I do a dns report on my server it still is marked as OpenDNS, How do I restart the service for it to run properly?

    I have restarted ispconfig via /etc/init.d/ispconfig_server restart

    What else do I need to restart for this to take affect?

    Thanks,
     
  13. edge

    edge Active Member Moderator

    You do not need to restart ISPconfig.

    All you need to do is make a small change to a DNS setting in ISPconfig
    ISPconfig will than regenerate the new DNS files.

    When done, undo the small change (if needed)
     
  14. TexasTaz

    TexasTaz New Member

    Yup that did the trick thanks,
     
  15. wildgoosed

    wildgoosed New Member

    Why not provide an option in the DNS manager for disabling/enabling recusion ?

    I think thats a fair request.
     

Share This Page