Re: nameservers open to world - with test output
On Sat, 3 Nov 2001 23:02, James wrote: Well, if your company runs the DNS for your website on those servers and you block outside IPs from querying from, no one on the internet will be able to go to your website. :) Overall, I do not think it is a big problem, unless someone is pointing massive amounts of traffic to your DNS servers. DNS traffic is usually very small UDP packets (I think like less than 512 bytes). If it goes over that, it uses TCP. I agree. So I don't generally turn off the recursion function for public name servers even though it's easy to do. Sometimes being able to do such recursive lookups from outside the network helps debugging network problems, something that saves an hour of my time will save the client more money than a year of bandwidth costs for DNS... But generally, I think to go over 512 bytes in one request would mean a zone transfer attempt (bad). That is a matter of opinion. When it's my choice I generally allow zone transfers. Preventing zone transfers is just security by obscurity and doesn't gain much. Allowing them allows smarter customers to give more detailed bug reports which can save time and money. -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: nameservers open to world - with test output
On Sat, 3 Nov 2001 23:02, James wrote: Well, if your company runs the DNS for your website on those servers and you block outside IPs from querying from, no one on the internet will be able to go to your website. :) Overall, I do not think it is a big problem, unless someone is pointing massive amounts of traffic to your DNS servers. DNS traffic is usually very small UDP packets (I think like less than 512 bytes). If it goes over that, it uses TCP. I agree. So I don't generally turn off the recursion function for public name servers even though it's easy to do. Sometimes being able to do such recursive lookups from outside the network helps debugging network problems, something that saves an hour of my time will save the client more money than a year of bandwidth costs for DNS... But generally, I think to go over 512 bytes in one request would mean a zone transfer attempt (bad). That is a matter of opinion. When it's my choice I generally allow zone transfers. Preventing zone transfers is just security by obscurity and doesn't gain much. Allowing them allows smarter customers to give more detailed bug reports which can save time and money. -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page
nameservers open to world - with test output
It has recently came to my attention that anyone can use our company's nameservers. I recently setup my home machine to use the company's nameserver to confirm this. I was wondering if there was anyway to prevent people from using our company's NS for their personal servers ? Would the extra traffic generated cause any problems on our network that I may not be aware of ? Test Confirmation that our NS is open to world: | --- Step one: lookup name | --- mylinux machine$ whois ourdomain.com Whois Server Version 1.3 Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: ournameserver.com Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com Name Server: NS1.ournameserver.net Name Server: NS2.ournameserver.net Updated Date: 27-oct-2001 Step two: change /etc/resolv.conf to the following | search ournameserver.com nameserver 123.123.123.123 # nameserver1 nameserver 123.123.123.134 # nameserver2 - Step three: sample run | - mylinux machine$ nslookup www.debian.org Server: ournameserver.com Address: 123.123.123.123 Non-authoritative answer: Name: www.debian.org Address: 198.186.203.20 mylinux machine$ -- GNU PGP public key http://www.annapolislinux.org/docs/public_key/GnuPG.txt - Ted Knab -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: nameservers open to world - with test output
Hello! You can reconfigure BIND so that it only answers to requests from your company's network only. If recursiv resolving is what you mean. I suggest you to use D. J. Bernstein's djbdns. It's small, fast, reliable and secure. check it out - cr.yp.to/djbdns.html I use it myself and suggest it to others also.. You will save yourself soem time if you use djbdns. It's way simpler to manage tinydns data files than it is to mess around with BIND zone files. -- Martin 'pisi' Paljak / freelancer consultant [EMAIL PROTECTED] / pisi.pisitek.com www.pisitek.com On Sat, 3 Nov 2001, Thedore Knab wrote: It has recently came to my attention that anyone can use our company's nameservers. I recently setup my home machine to use the company's nameserver to confirm this. I was wondering if there was anyway to prevent people from using our company's NS for their personal servers ? Would the extra traffic generated cause any problems on our network that I may not be aware of ? Test Confirmation that our NS is open to world: | --- Step one: lookup name | --- mylinux machine$ whois ourdomain.com Whois Server Version 1.3 Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: ournameserver.com Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com Name Server: NS1.ournameserver.net Name Server: NS2.ournameserver.net Updated Date: 27-oct-2001 Step two: change /etc/resolv.conf to the following | search ournameserver.com nameserver 123.123.123.123 # nameserver1 nameserver 123.123.123.134 # nameserver2 - Step three: sample run | - mylinux machine$ nslookup www.debian.org Server: ournameserver.com Address: 123.123.123.123 Non-authoritative answer: Name: www.debian.org Address: 198.186.203.20 mylinux machine$ -- GNU PGP public key http://www.annapolislinux.org/docs/public_key/GnuPG.txt - Ted Knab -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: nameservers open to world - with test output
You could always firewall out port 53 on your external interface. On Sat, Nov 03, 2001 at 01:56:34PM -0500, Thedore Knab wrote: It has recently came to my attention that anyone can use our company's nameservers. I recently setup my home machine to use the company's nameserver to confirm this. I was wondering if there was anyway to prevent people from using our company's NS for their personal servers ? Would the extra traffic generated cause any problems on our network that I may not be aware of ? Test Confirmation that our NS is open to world: | --- Step one: lookup name | --- mylinux machine$ whois ourdomain.com Whois Server Version 1.3 Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: ournameserver.com Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com Name Server: NS1.ournameserver.net Name Server: NS2.ournameserver.net Updated Date: 27-oct-2001 Step two: change /etc/resolv.conf to the following | search ournameserver.com nameserver 123.123.123.123 # nameserver1 nameserver 123.123.123.134 # nameserver2 - Step three: sample run | - mylinux machine$ nslookup www.debian.org Server: ournameserver.com Address: 123.123.123.123 Non-authoritative answer: Name: www.debian.org Address: 198.186.203.20 mylinux machine$ -- GNU PGP public key http://www.annapolislinux.org/docs/public_key/GnuPG.txt - Ted Knab -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Nick Jennings -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: nameservers open to world - with test output
Well, if your company runs the DNS for your website on those servers and you block outside IPs from querying from, no one on the internet will be able to go to your website. :) Overall, I do not think it is a big problem, unless someone is pointing massive amounts of traffic to your DNS servers. DNS traffic is usually very small UDP packets (I think like less than 512 bytes). If it goes over that, it uses TCP. But generally, I think to go over 512 bytes in one request would mean a zone transfer attempt (bad). So, IMO: Leave it open and monitor traffic. Potentially block TCP to prevent zone transfers. - James -Original Message- From: Ted Knab [mailto:[EMAIL PROTECTED]] On Behalf Of Thedore Knab Sent: Saturday, November 03, 2001 1:57 PM To: [EMAIL PROTECTED] Subject: nameservers open to world - with test output It has recently came to my attention that anyone can use our company's nameservers. I recently setup my home machine to use the company's nameserver to confirm this. I was wondering if there was anyway to prevent people from using our company's NS for their personal servers ? Would the extra traffic generated cause any problems on our network that I may not be aware of ? Test Confirmation that our NS is open to world: | --- Step one: lookup name | --- mylinux machine$ whois ourdomain.com Whois Server Version 1.3 Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: ournameserver.com Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com Name Server: NS1.ournameserver.net Name Server: NS2.ournameserver.net Updated Date: 27-oct-2001 Step two: change /etc/resolv.conf to the following | search ournameserver.com nameserver 123.123.123.123 # nameserver1 nameserver 123.123.123.134 # nameserver2 - Step three: sample run | - mylinux machine$ nslookup www.debian.org Server: ournameserver.com Address: 123.123.123.123 Non-authoritative answer: Name: www.debian.org Address: 198.186.203.20 mylinux machine$ -- GNU PGP public key http://www.annapolislinux.org/docs/public_key/GnuPG.txt - Ted Knab -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: nameservers open to world - with test output
James Well, if your company runs the DNS for your website on
James those servers and you block outside IPs from querying from,
James no one on the internet will be able to go to your website.
James :) [...]
I think the right way to do this in bind 8.?? is:
In named.conf
options {
// bla bla
allow-query { 127/8; your-network/bits; };
};
and for domain names you are authoritative for
zone your-domain-name.com in {
type master;
allow-query { any; } ;
file /etc/bind/your-domain-name.com;
};
This will accomplish what you want.
cheers,
BM
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: nameservers open to world - with test output
Well, it is a problem if your DNS server has zone files for lots of internal network servers. You could have two seperate instances of BIND (if you need an external dns server to be answering for your domain name etc). bind each to theiir applicable interface. On Sat, Nov 03, 2001 at 05:02:07PM -0500, James wrote: Well, if your company runs the DNS for your website on those servers and you block outside IPs from querying from, no one on the internet will be able to go to your website. :) Overall, I do not think it is a big problem, unless someone is pointing massive amounts of traffic to your DNS servers. DNS traffic is usually very small UDP packets (I think like less than 512 bytes). If it goes over that, it uses TCP. But generally, I think to go over 512 bytes in one request would mean a zone transfer attempt (bad). So, IMO: Leave it open and monitor traffic. Potentially block TCP to prevent zone transfers. - James -Original Message- From: Ted Knab [mailto:[EMAIL PROTECTED]] On Behalf Of Thedore Knab Sent: Saturday, November 03, 2001 1:57 PM To: [EMAIL PROTECTED] Subject: nameservers open to world - with test output It has recently came to my attention that anyone can use our company's nameservers. I recently setup my home machine to use the company's nameserver to confirm this. I was wondering if there was anyway to prevent people from using our company's NS for their personal servers ? Would the extra traffic generated cause any problems on our network that I may not be aware of ? Test Confirmation that our NS is open to world: | --- Step one: lookup name | --- mylinux machine$ whois ourdomain.com Whois Server Version 1.3 Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: ournameserver.com Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com Name Server: NS1.ournameserver.net Name Server: NS2.ournameserver.net Updated Date: 27-oct-2001 Step two: change /etc/resolv.conf to the following | search ournameserver.com nameserver 123.123.123.123 # nameserver1 nameserver 123.123.123.134 # nameserver2 - Step three: sample run | - mylinux machine$ nslookup www.debian.org Server: ournameserver.com Address: 123.123.123.123 Non-authoritative answer: Name: www.debian.org Address: 198.186.203.20 mylinux machine$ -- GNU PGP public key http://www.annapolislinux.org/docs/public_key/GnuPG.txt - Ted Knab -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Nick Jennings -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
nameservers open to world - with test output
It has recently came to my attention that anyone can use our company's nameservers. I recently setup my home machine to use the company's nameserver to confirm this. I was wondering if there was anyway to prevent people from using our company's NS for their personal servers ? Would the extra traffic generated cause any problems on our network that I may not be aware of ? Test Confirmation that our NS is open to world: | --- Step one: lookup name | --- mylinux machine$ whois ourdomain.com Whois Server Version 1.3 Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: ournameserver.com Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com Name Server: NS1.ournameserver.net Name Server: NS2.ournameserver.net Updated Date: 27-oct-2001 Step two: change /etc/resolv.conf to the following | search ournameserver.com nameserver 123.123.123.123 # nameserver1 nameserver 123.123.123.134 # nameserver2 - Step three: sample run | - mylinux machine$ nslookup www.debian.org Server: ournameserver.com Address: 123.123.123.123 Non-authoritative answer: Name: www.debian.org Address: 198.186.203.20 mylinux machine$ -- GNU PGP public key http://www.annapolislinux.org/docs/public_key/GnuPG.txt - Ted Knab
Re: nameservers open to world - with test output
Hello! You can reconfigure BIND so that it only answers to requests from your company's network only. If recursiv resolving is what you mean. I suggest you to use D. J. Bernstein's djbdns. It's small, fast, reliable and secure. check it out - cr.yp.to/djbdns.html I use it myself and suggest it to others also.. You will save yourself soem time if you use djbdns. It's way simpler to manage tinydns data files than it is to mess around with BIND zone files. -- Martin 'pisi' Paljak / freelancer consultant [EMAIL PROTECTED] / pisi.pisitek.com www.pisitek.com On Sat, 3 Nov 2001, Thedore Knab wrote: It has recently came to my attention that anyone can use our company's nameservers. I recently setup my home machine to use the company's nameserver to confirm this. I was wondering if there was anyway to prevent people from using our company's NS for their personal servers ? Would the extra traffic generated cause any problems on our network that I may not be aware of ? Test Confirmation that our NS is open to world: | --- Step one: lookup name | --- mylinux machine$ whois ourdomain.com Whois Server Version 1.3 Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: ournameserver.com Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com Name Server: NS1.ournameserver.net Name Server: NS2.ournameserver.net Updated Date: 27-oct-2001 Step two: change /etc/resolv.conf to the following | search ournameserver.com nameserver 123.123.123.123 # nameserver1 nameserver 123.123.123.134 # nameserver2 - Step three: sample run | - mylinux machine$ nslookup www.debian.org Server: ournameserver.com Address: 123.123.123.123 Non-authoritative answer: Name: www.debian.org Address: 198.186.203.20 mylinux machine$ -- GNU PGP public key http://www.annapolislinux.org/docs/public_key/GnuPG.txt - Ted Knab -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: nameservers open to world - with test output
You could always firewall out port 53 on your external interface. On Sat, Nov 03, 2001 at 01:56:34PM -0500, Thedore Knab wrote: It has recently came to my attention that anyone can use our company's nameservers. I recently setup my home machine to use the company's nameserver to confirm this. I was wondering if there was anyway to prevent people from using our company's NS for their personal servers ? Would the extra traffic generated cause any problems on our network that I may not be aware of ? Test Confirmation that our NS is open to world: | --- Step one: lookup name | --- mylinux machine$ whois ourdomain.com Whois Server Version 1.3 Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: ournameserver.com Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com Name Server: NS1.ournameserver.net Name Server: NS2.ournameserver.net Updated Date: 27-oct-2001 Step two: change /etc/resolv.conf to the following | search ournameserver.com nameserver 123.123.123.123 # nameserver1 nameserver 123.123.123.134 # nameserver2 - Step three: sample run | - mylinux machine$ nslookup www.debian.org Server: ournameserver.com Address: 123.123.123.123 Non-authoritative answer: Name: www.debian.org Address: 198.186.203.20 mylinux machine$ -- GNU PGP public key http://www.annapolislinux.org/docs/public_key/GnuPG.txt - Ted Knab -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Nick Jennings
RE: nameservers open to world - with test output
Well, if your company runs the DNS for your website on those servers and you block outside IPs from querying from, no one on the internet will be able to go to your website. :) Overall, I do not think it is a big problem, unless someone is pointing massive amounts of traffic to your DNS servers. DNS traffic is usually very small UDP packets (I think like less than 512 bytes). If it goes over that, it uses TCP. But generally, I think to go over 512 bytes in one request would mean a zone transfer attempt (bad). So, IMO: Leave it open and monitor traffic. Potentially block TCP to prevent zone transfers. - James -Original Message- From: Ted Knab [mailto:[EMAIL PROTECTED] On Behalf Of Thedore Knab Sent: Saturday, November 03, 2001 1:57 PM To: debian-isp@lists.debian.org Subject: nameservers open to world - with test output It has recently came to my attention that anyone can use our company's nameservers. I recently setup my home machine to use the company's nameserver to confirm this. I was wondering if there was anyway to prevent people from using our company's NS for their personal servers ? Would the extra traffic generated cause any problems on our network that I may not be aware of ? Test Confirmation that our NS is open to world: | --- Step one: lookup name | --- mylinux machine$ whois ourdomain.com Whois Server Version 1.3 Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: ournameserver.com Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com Name Server: NS1.ournameserver.net Name Server: NS2.ournameserver.net Updated Date: 27-oct-2001 Step two: change /etc/resolv.conf to the following | search ournameserver.com nameserver 123.123.123.123 # nameserver1 nameserver 123.123.123.134 # nameserver2 - Step three: sample run | - mylinux machine$ nslookup www.debian.org Server: ournameserver.com Address: 123.123.123.123 Non-authoritative answer: Name: www.debian.org Address: 198.186.203.20 mylinux machine$ -- GNU PGP public key http://www.annapolislinux.org/docs/public_key/GnuPG.txt - Ted Knab -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: nameservers open to world - with test output
James Well, if your company runs the DNS for your website on
James those servers and you block outside IPs from querying from,
James no one on the internet will be able to go to your website.
James :) [...]
I think the right way to do this in bind 8.?? is:
In named.conf
options {
// bla bla
allow-query { 127/8; your-network/bits; };
};
and for domain names you are authoritative for
zone your-domain-name.com in {
type master;
allow-query { any; } ;
file /etc/bind/your-domain-name.com;
};
This will accomplish what you want.
cheers,
BM
Re: nameservers open to world - with test output
Well, it is a problem if your DNS server has zone files for lots of internal network servers. You could have two seperate instances of BIND (if you need an external dns server to be answering for your domain name etc). bind each to theiir applicable interface. On Sat, Nov 03, 2001 at 05:02:07PM -0500, James wrote: Well, if your company runs the DNS for your website on those servers and you block outside IPs from querying from, no one on the internet will be able to go to your website. :) Overall, I do not think it is a big problem, unless someone is pointing massive amounts of traffic to your DNS servers. DNS traffic is usually very small UDP packets (I think like less than 512 bytes). If it goes over that, it uses TCP. But generally, I think to go over 512 bytes in one request would mean a zone transfer attempt (bad). So, IMO: Leave it open and monitor traffic. Potentially block TCP to prevent zone transfers. - James -Original Message- From: Ted Knab [mailto:[EMAIL PROTECTED] On Behalf Of Thedore Knab Sent: Saturday, November 03, 2001 1:57 PM To: debian-isp@lists.debian.org Subject: nameservers open to world - with test output It has recently came to my attention that anyone can use our company's nameservers. I recently setup my home machine to use the company's nameserver to confirm this. I was wondering if there was anyway to prevent people from using our company's NS for their personal servers ? Would the extra traffic generated cause any problems on our network that I may not be aware of ? Test Confirmation that our NS is open to world: | --- Step one: lookup name | --- mylinux machine$ whois ourdomain.com Whois Server Version 1.3 Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: ournameserver.com Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com Name Server: NS1.ournameserver.net Name Server: NS2.ournameserver.net Updated Date: 27-oct-2001 Step two: change /etc/resolv.conf to the following | search ournameserver.com nameserver 123.123.123.123 # nameserver1 nameserver 123.123.123.134 # nameserver2 - Step three: sample run | - mylinux machine$ nslookup www.debian.org Server: ournameserver.com Address: 123.123.123.123 Non-authoritative answer: Name: www.debian.org Address: 198.186.203.20 mylinux machine$ -- GNU PGP public key http://www.annapolislinux.org/docs/public_key/GnuPG.txt - Ted Knab -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Nick Jennings
