Well, if your company runs the DNS for your website on those servers and you block outside IPs from querying from, no one on the internet will be able to go to your website. :)
Overall, I do not think it is a big problem, unless someone is pointing massive amounts of traffic to your DNS servers. DNS traffic is usually very small UDP packets (I think like less than 512 bytes). If it goes over that, it uses TCP. But generally, I think to go over 512 bytes in one request would mean a zone transfer attempt (bad). So, IMO: Leave it open and monitor traffic. Potentially block TCP to prevent zone transfers. - James -----Original Message----- From: Ted Knab [mailto:[EMAIL PROTECTED] On Behalf Of Thedore Knab Sent: Saturday, November 03, 2001 1:57 PM To: debian-isp@lists.debian.org Subject: nameservers open to world - with test output It has recently came to my attention that anyone can use our company's nameservers. I recently setup my home machine to use the company's nameserver to confirm this. I was wondering if there was anyway to prevent people from using our company's NS for their personal servers ? Would the extra traffic generated cause any problems on our network that I may not be aware of ? ------------------------------------------------ Test Confirmation that our NS is open to world: | ------------------------------------------------ ----------------------- Step one: lookup name | ----------------------- mylinux machine$ whois ourdomain.com Whois Server Version 1.3 Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: ournameserver.com Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com Name Server: NS1.ournameserver.net Name Server: NS2.ournameserver.net Updated Date: 27-oct-2001 ---------------------------------------------------- Step two: change /etc/resolv.conf to the following | ---------------------------------------------------- search ournameserver.com nameserver 123.123.123.123 # nameserver1 nameserver 123.123.123.134 # nameserver2 ------------------------- Step three: sample run | ------------------------- mylinux machine$ nslookup www.debian.org Server: ournameserver.com Address: 123.123.123.123 Non-authoritative answer: Name: www.debian.org Address: 198.186.203.20 mylinux machine$ ---------------------- GNU PGP public key http://www.annapolislinux.org/docs/public_key/GnuPG.txt --------------------- Ted Knab -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]