WebHostGear.com - the hosting resource for professionalshosting tutorials hosting howto webhost guide server managementMarch 12, 2010
server management, apache tutorials, hosting tutorials, cpanel, server security
Home | Search | Contact Us | Site Map

Advanced Search

Categories:
Hosting BlogBlog
ArticlesArticles
Hosting TutorialsHosting Tutorials
InterviewsInterviews
ReviewsReviews
Web Host NewsWeb Hosting News
cPanel HostingcPanel Hosting
Reseller HostingReseller Hosting
PHP HostingPHP Hosting
VPS HostingVPS Hosting
Windows HostingWindows Hosting
Shared HostingShared Hosting
Multiple Domain HostingMutiple Domain Hosting


Site Related:
Submit hosting articleSubmit Article
AdvertiseAdvertise
About UsAbout Us
WebhostGear PartnersPartners
SyndicateRSS Syndicate
Write for usWrite for us
Recommend UsRecommend Us
DisclaimerDisclaimer
Contact UsContact Us

Free Newsletter:

Subscribe to our free newsletter and receive, tutorials, reviews and more all related to the hosting industry.
E-mail Address:

First Name:



Home / Hosting Tutorials / Server Security / Close Open DNS Servers

Close Open DNS Servers



Printer Friendly Printer Friendly Send to a friend Send to a friend
By : ramprage Rating : Average Rating : 7.76 From 33 Voter(s)

Close Open DNS Servers

For those of you who check your nameservers and other DNS related issues using the popular site dnsreport you're probbaly seeing Fail Open DNS Servers. We'll show you have to fixed named to close open dns servers.

How do I check my system?
Go to www.dnsreport.com and enter your domain name, eg webhostgear.com

You’re safe if you see:
PASS Open DNS servers

You need to follow this tutorial if you see:
FAIL Open DNS servers

Closing Open DNS Servers Tutorial

1) Login to your server and su to root.

2) Edit the /etc/named.conf file such as:# vi /etc/named.conf

Look for: 

key "rndckey" {
};

After this add the following, replacing mainIP and secondaryIP with your systems nameservers. 

acl "trusted" {
mainIP;secondaryIP;127.0.0.1;
};

3) After that’s done you want to add the section that says only the trusted is allowed for certain functions. Check your options area and make sure you add the following:

allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };


Article provided by WebHostGear.com

So the final result looks something like:

options {
        directory "/var/named";
        allow-recursion { trusted; };
        allow-notify { trusted; };
        allow-transfer { trusted; };
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
         // query-source address * port 53;
};

4) Save the changes and restart the named service: service named restart

5) Recheck your site at dnsreport.com, you should be good!

Cheers

Steve

New! - Need server help? Hire an Expert

Get professional help with your configuration, script installation or server issue.
Learn how we can help you with any server problem and make your server run like new. Professional staff will contact you, after submitting a quote request, by phone or email.

Rate this Article :

1
2
3
4
5
6
7
8
9
10
Poor Excellent

Related Articles


� Official Cpanel Newbie Guide
� Setting up Private Nameservers in Cpanel
� Common SSH Commands - Linux Shell Commands
� Mask Your Web Server for Enhanced Security
� How to hide bind version - Cpanel


Discuss this article with others in our new hosting forums

Comments / Feedback

Jen
If you have multiple servers running off the same DNS, make sure that you put all those server IPs in the trusted area if they are resolving through that DNS:

acl "trusted" {

mainIP;secondaryIP;firstserverip;secondserverip;127.0.0.1;

};


Otherwise, great tutorial.
zac
actually all you need to do is tihs:

options {
recursion no;
};

Rajesh
i did as per the instructions but the "Open DNS Servers" still show fail. please let me what else is to be done.
Andrew
The above breaks Bind on a VPS
Rajesh
I did as mentioned above but still the "Open DNS Servers" show fail in the DNS stuff.
dew
really
alan
this worked as-is for me
valtea
My server have

root@server [/etc]# cat named.conf
include "/etc/rndc.key";

controls {
inet 127.0.0.1 allow { localhost; } keys { "rndckey"; };
};
So where do i Add
acl "trusted" {
mainIP;secondaryIP;127.0.0.1;
};
Will it be on the same line with the keys after "rndckey";
or
"rndckey"; };
};
Ryan
Did anyone come up with an answer for valtea or does anyone know? I have been researching until I am blue in the face.
Dan
Got the same problem as valtea!
Kyle
Same problem as above!
Steve
Add it after the controls section.

EG:
controls {
inet 127.0.0.1 allow { localhost; } keys { "rndckey"; };
};

Add it here
Nick
Thanks, this tutorial worked great!
Spock
Steve, I tried adding it after controls, but I receive this error:

Stopping named: [ OK ]
Starting named: /etc/named.conf:17: missing ';' before '}'
/etc/named.conf:18: missing ';' before '}'
/etc/named.conf:19: missing ';' before '}'

Jul 10 04:12:50.694 starting BIND 9.2.4 -g
Jul 10 04:12:50.717 using 1 CPU
Jul 10 04:12:50.722 loading configuration from '/etc/named.conf'
Jul 10 04:12:50.723 /etc/named.conf:1: open: /etc/rndc.key: permission denied
Jul 10 04:12:50.723 loading configuration: permission denied
Jul 10 04:12:50.723 exiting (due to fatal error)
Error in configuration file /etc/named.conf : [FAILED]

===================
Here are the first lines of my named.conf:

include "/etc/rndc.key";

controls {
inet 127.0.0.1 allow { localhost; } keys { "rndckey"; };
};

acl "trusted" {
ip1;ip2;ip3;ip4;ip5;127.0.0.1;
};

//
// named.conf for Red Hat caching-nameserver
//

options {
directory "/var/named";
allow-recursion { trusted };
allow-notify { trusted };
allow-transfer { trusted };
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
version "surely ye jest?";
};
===================
Suggestions?
Spock
Solved it! I just missed the ";" after the words trusted inside allow-recursion { trusted; }; etc.
Andrew
How long does it takes dnsreport.com to update this info after you make changes?
Hussein
Like Zac above noted.
All you need to do is add a like in the options sections that looks like this:

recursion no;

This should close your server.

If you need to harden and secure Bind even more, you can have a look at this site:

http://www.cymru.com/Documents/secure-bind-template.html

You need to be carful, and back up your named.conf file before testing, but this is a complete secured Bind template.

Cheers
Ricardo
I did all this things but the problem i have is that then my clients stop receiving emails and they are not able to send either i have added all the ips of the server plus 127.0.0.1...any ideas?
G
thanks worked a treat

 Add Comment
Name
Email
Image Code
Refresh Image
Comments / Feedback



Our site offers free hosting tutorials, cpanel tutorial, web hosting news, shell commands, running a web hosting business, dedicated guides, linux tutorial, apache install, home web server, web server guide, ssh commands, dedicated servers, DNS nameservers, chkrootkit, apf firewall, exim configuration, server compromised, cron backup solution, ftp backup script

Server Tutorials


WebHostGear Reviewed by Ping Zine - Click here

Links:
Lunarpages Coupon


Copyright � 2003-2009 WebHostGear.com