[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: nameservers open to world - with test output

Well, if your company runs the DNS for your website on those servers and
you block outside IPs from querying from, no one on the internet will be
able to go to your website.  :)

Overall, I do not think it is a big problem, unless someone is pointing
massive amounts of traffic to your DNS servers.  DNS traffic is usually
very small UDP packets (I think like less than 512 bytes).  If it goes
over that, it uses TCP.  

But generally, I think to go over 512 bytes in one request would mean a
zone transfer attempt (bad).

So, IMO: Leave it open and monitor traffic.  Potentially block TCP to
prevent zone transfers.

- James

-----Original Message-----
From: Ted Knab [mailto:tjk@breezysolutions.com] On Behalf Of Thedore
Sent: Saturday, November 03, 2001 1:57 PM
To: debian-isp@lists.debian.org
Subject: nameservers open to world - with test output

It has recently came to my attention that anyone can use our company's

I recently setup my home machine to use the company's nameserver to
confirm this.

I was wondering if there was anyway to prevent people from using our
company's NS for their personal servers ?

Would the extra traffic generated cause any problems on our network that
I may not be aware of ?

Test Confirmation that our NS is open to world: |

Step one: lookup name |

mylinux machine$ whois ourdomain.com
Whois Server Version 1.3

Domain names in the .com, .net, and .org domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

 Domain Name: ournameserver.com
 Whois Server: whois.networksolutions.com
 Referral URL: http://www.networksolutions.com
 Name Server: NS1.ournameserver.net
 Name Server: NS2.ournameserver.net
 Updated Date: 27-oct-2001

Step two: change /etc/resolv.conf to the following |

search ournameserver.com
nameserver # nameserver1
nameserver # nameserver2

Step three: sample run  |

mylinux machine$ nslookup www.debian.org

Server: ournameserver.com

Non-authoritative answer:
Name:   www.debian.org

mylinux machine$ 

GNU PGP public key
Ted Knab

To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact

Reply to: