RE: nameservers open to world - with test output

To: "'Thedore Knab'" <tjk@annapolislinux.org>, <debian-isp@lists.debian.org>
Subject: RE: nameservers open to world - with test output
From: "James" <james@kathweb.net>
Date: Sat, 3 Nov 2001 17:02:07 -0500
Message-id: <[🔎] 002d01c164b3$3ed737a0$82e53181@jamesdesktop>
In-reply-to: <[🔎] 20011103135634.A14363@annapolislinux.org>

Well, if your company runs the DNS for your website on those servers and
you block outside IPs from querying from, no one on the internet will be
able to go to your website.  :)

Overall, I do not think it is a big problem, unless someone is pointing
massive amounts of traffic to your DNS servers.  DNS traffic is usually
very small UDP packets (I think like less than 512 bytes).  If it goes
over that, it uses TCP.  

But generally, I think to go over 512 bytes in one request would mean a
zone transfer attempt (bad).

So, IMO: Leave it open and monitor traffic.  Potentially block TCP to
prevent zone transfers.

- James

-----Original Message-----
From: Ted Knab [mailto:tjk@breezysolutions.com] On Behalf Of Thedore
Knab
Sent: Saturday, November 03, 2001 1:57 PM
To: debian-isp@lists.debian.org
Subject: nameservers open to world - with test output

It has recently came to my attention that anyone can use our company's
nameservers.

I recently setup my home machine to use the company's nameserver to
confirm this.

I was wondering if there was anyway to prevent people from using our
company's NS for their personal servers ?

Would the extra traffic generated cause any problems on our network that
I may not be aware of ?

------------------------------------------------
Test Confirmation that our NS is open to world: |
------------------------------------------------

-----------------------
Step one: lookup name |
-----------------------

mylinux machine$ whois ourdomain.com
Whois Server Version 1.3

Domain names in the .com, .net, and .org domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

 Domain Name: ournameserver.com
 Registrar: NETWORK SOLUTIONS, INC.
 Whois Server: whois.networksolutions.com
 Referral URL: http://www.networksolutions.com
 Name Server: NS1.ournameserver.net
 Name Server: NS2.ournameserver.net
 Updated Date: 27-oct-2001

----------------------------------------------------
Step two: change /etc/resolv.conf to the following |
----------------------------------------------------

search ournameserver.com
nameserver 123.123.123.123 # nameserver1
nameserver 123.123.123.134 # nameserver2

-------------------------
Step three: sample run  |
-------------------------

mylinux machine$ nslookup www.debian.org

Server: ournameserver.com
Address: 123.123.123.123

Non-authoritative answer:
Name:   www.debian.org
Address: 198.186.203.20

mylinux machine$ 

----------------------
GNU PGP public key
http://www.annapolislinux.org/docs/public_key/GnuPG.txt
---------------------
Ted Knab


-- 
To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org

Reply to:

Follow-Ups:
- RE: nameservers open to world - with test output
  - From: Bulent Murtezaoglu <bm@acm.org>
- Re: nameservers open to world - with test output
  - From: Nick Jennings <nick@namodn.com>
- Re: nameservers open to world - with test output
  - From: Russell Coker <russell@coker.com.au>

References:
- nameservers open to world - with test output
  - From: Thedore Knab <tjk@annapolislinux.org>

Prev by Date: Re: RAID & Hard disk performance
Next by Date: RE: nameservers open to world - with test output
Previous by thread: Re: nameservers open to world - with test output
Next by thread: RE: nameservers open to world - with test output
Index(es):
- Date
- Thread