[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: nameservers open to world - with test output

Well, it is a problem if your DNS server has zone files for lots of
internal network servers. 

You could have two seperate instances of BIND (if you need an external
dns server to be answering for your domain name etc). bind each to
theiir applicable interface.

On Sat, Nov 03, 2001 at 05:02:07PM -0500, James wrote:
> Well, if your company runs the DNS for your website on those servers and
> you block outside IPs from querying from, no one on the internet will be
> able to go to your website.  :)
> 
> Overall, I do not think it is a big problem, unless someone is pointing
> massive amounts of traffic to your DNS servers.  DNS traffic is usually
> very small UDP packets (I think like less than 512 bytes).  If it goes
> over that, it uses TCP.  
> 
> But generally, I think to go over 512 bytes in one request would mean a
> zone transfer attempt (bad).
> 
> So, IMO: Leave it open and monitor traffic.  Potentially block TCP to
> prevent zone transfers.
> 
> - James
> 
> -----Original Message-----
> From: Ted Knab [mailto:tjk@breezysolutions.com] On Behalf Of Thedore
> Knab
> Sent: Saturday, November 03, 2001 1:57 PM
> To: debian-isp@lists.debian.org
> Subject: nameservers open to world - with test output
> 
> It has recently came to my attention that anyone can use our company's
> nameservers.
> 
> I recently setup my home machine to use the company's nameserver to
> confirm this.
> 
> I was wondering if there was anyway to prevent people from using our
> company's NS for their personal servers ?
> 
> Would the extra traffic generated cause any problems on our network that
> I may not be aware of ?
> 
> ------------------------------------------------
> Test Confirmation that our NS is open to world: |
> ------------------------------------------------
> 
> -----------------------
> Step one: lookup name |
> -----------------------
> 
> mylinux machine$ whois ourdomain.com
> Whois Server Version 1.3
> 
> Domain names in the .com, .net, and .org domains can now be registered
> with many different competing registrars. Go to http://www.internic.net
> for detailed information.
> 
>  Domain Name: ournameserver.com
>  Registrar: NETWORK SOLUTIONS, INC.
>  Whois Server: whois.networksolutions.com
>  Referral URL: http://www.networksolutions.com
>  Name Server: NS1.ournameserver.net
>  Name Server: NS2.ournameserver.net
>  Updated Date: 27-oct-2001
> 
> ----------------------------------------------------
> Step two: change /etc/resolv.conf to the following |
> ----------------------------------------------------
> 
> search ournameserver.com
> nameserver 123.123.123.123 # nameserver1
> nameserver 123.123.123.134 # nameserver2
> 
> -------------------------
> Step three: sample run  |
> -------------------------
> 
> mylinux machine$ nslookup www.debian.org
> 
> Server: ournameserver.com
> Address: 123.123.123.123
> 
> Non-authoritative answer:
> Name:   www.debian.org
> Address: 198.186.203.20
> 
> mylinux machine$ 
> 
> ----------------------
> GNU PGP public key
> http://www.annapolislinux.org/docs/public_key/GnuPG.txt
> ---------------------
> Ted Knab
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
> 

-- 
  Nick Jennings
Reply to: