Micetro by Men&Mice
Latest versions
Search all documentation
Symptom:
DNS Servers shouldn’t be “open”, they shouldn’t offer recursive DNS name resolution to anyone in the Internet.CNET.COM has an article on how attackers can misuse these open DNS Servers to launch attacks against other machines in the Internet:
"DNS servers do hackers' dirty work"
Solution
Here are the the steps to disable open recursion using the Men & Mice DNS Management System:To disable or restrict recursion, use the Query Restrictions pane in the server’s Options window. To get there, after you’ve logged in with Men & Mice Management Console, do the following:
- Click on DNS Servers on the left.
- Click on your DNS server on the right - not in the list under DNS Servers, but in the right-hand pane.
- Open the context menu - either right-click or control-click on the server.
- Select Options.
- In the window that appears, click on Query Restrictions on the left.
allow 192.0.2/24You don’t need to “deny all” after that - it’s the default.
In a plain BIND installation without Men & Mice Management Console, add an “allow-recursion” statement in the “options” block of the “/etc/named.conf” File (BIND Configuration File). The “allow-recursion” statement should then list the networks from where recusive name resolution to the Internet is permitted. This should be local client networks.
Example for the local Class C Network 192.0.2.0/24:
options {
directory "/var/named";
allow-recursion { 192.0.2.0/24; 127.0.0.1; };
};
If is also possible to use the predefined ACL (Access Controll Lists) of a BIND Nameserver: localhost - all Network Interfaces on the DNS Server
localnets - all locally attached networks to the DNS Server (caution, for the ACL to work the DNS Servers OS network configuration must be error-free)
Example:
options {
directory "/var/named";
allow-recursion { localnets; };
};
Overview
Content Tools