While auditing security for a VPS Node, I found out that that recent version (probably older versions too) of kloxo has BIND (The DNS Service) configured in such a way that it allows recursive DNS queries.
What's the Problem with Recursive DNS Queries ?
- Reccursive DNS query means the nameserver can be used to query any domain, i.e, when a DNS client requests information from a DNS server that is set to query subsequent DNS servers until a definitive answer is returned to the client.
How to check ?
- You can use intodns.com to check it
How are they Harmful ?
- Major risk is DNS Amplification (Using DNS to DDoS) - Seen in the latest Cyberbunker vs Spamhaus spat which 'nearly broke the internet'.
Other risks are,
DNS Cache Poisoning - Hacking website via DNS
Root name server problem - When DNS servers are not configured correctly, queries using RFC1918 addressing (also known as "private" addressing) may be leaked to the root name servers, causing a degradation in service for legitimate queries to those servers.
How to fix ?
Since Kloxo uses BIND, you just have to edit one file.
Use vi or nano to edit,
and add
at the beginning of the file.
So your file should look like
Now you just have to restart BIND
Check again with intodns, Your DNS Server should now be secured
What's the Problem with Recursive DNS Queries ?
- Reccursive DNS query means the nameserver can be used to query any domain, i.e, when a DNS client requests information from a DNS server that is set to query subsequent DNS servers until a definitive answer is returned to the client.
How to check ?
- You can use intodns.com to check it
How are they Harmful ?
- Major risk is DNS Amplification (Using DNS to DDoS) - Seen in the latest Cyberbunker vs Spamhaus spat which 'nearly broke the internet'.
Other risks are,
DNS Cache Poisoning - Hacking website via DNS
Root name server problem - When DNS servers are not configured correctly, queries using RFC1918 addressing (also known as "private" addressing) may be leaked to the root name servers, causing a degradation in service for legitimate queries to those servers.
How to fix ?
Since Kloxo uses BIND, you just have to edit one file.
Code:
/var/named/chroot/etc/named.conf
Use vi or nano to edit,
and add
Code:
options {
allow-recursion { localhost; };
};
at the beginning of the file.
So your file should look like
Now you just have to restart BIND
Code:
service named restart
Check again with intodns, Your DNS Server should now be secured