Hello, I'm a bit terrorized because i've just made a dns report on one of the domains hosted on my dns server and i received this warning: ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are: Server xxx.xxx.xxx.xxx reports that it will do recursive lookups. I understand that this is really bad but i really don't know how to debug and arrange this situation ? Does it mean that my server had been hacked ? Thank you for helping me.
This means that your dns server is an openresolver and coud have been in use of a ddos attack against others by sending spoofed querys to u and your server woud send them to the attacker. add this allow-recursion { localhost; }; in the option part in named.conf
Please add this line to /root/ispconfig/isp/conf/named.conf.master too, otherwise ISPConfig will remove the lines from your named.conf when you save the next DNS records.
Many thanks Hello, Thank you very much for your help, it's ok now. I would like to know if the cause of this open dns could be because of an error in creating the dns records of a new website hosted on my server ? What kind of tools could i use to make an efficient rootkit detection on my debian server `? i've already used chkrootkit but i have the feeling that it's not enough, any advice ?
No, no error, it was simply because you didn't have those lines in your named.conf. Take a look here: http://www.howtoforge.com/faq/1_38_en.html
I don't think that this is from your server being hacked. As far as I know, it is how ISPConfig always set up, but www.dnsreport.com has started to report on open DNS servers. I may be wrong, but I don't think it is much to worry about. Just add the line to fix it.
