• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 517
  • Last Modified:

Recursive queries DNS

Dear consultors, actually I am checking the DNS and I have a warning about recursive queries to my DNS legalpublishing.cl, how really bad it's this warming because I have been che

here is my named.conf

options {
      directory "/var/named";
};
zone "." {
      type hint;
      file "named.ca";
};

zone "abeledoperrot.cl"{
        type master;
        file "abeledoperrot.zone";
        notify yes;
};

zone "intelecta.cl"{
      type master;
      file "intelecta.zone";
      notify yes;
};
zone "jurinet.cl"{
      type master;
      file "jurinet.zone";
      notify yes;
};

zone "normatec.cl"{
      type master;
      file "normatec.zone";
      notify yes;
};
zone "proman.cl"{
      type master;
      file "proman.zone";
      notify yes;
};
zone "publitecsa.cl"{
      type master;
      file "publitecsa.zone";
      notify yes;
};
zone "semanajuridica.cl"{
      type master;
      file "semanajuridica.zone";
      notify yes;
};
zone "rentafacil.cl"{
        type master;
        file "rentafacil.zone";
        notify yes;
};
zone "legalpublishing.cl"{
        type master;
        file "legalpublishing.zone";
      notify yes;
};
zone "legalpublishingchile.cl"{
        type master;
        file "legalpublishingchile.zone";
        notify yes;
};
zone "legalpublishinggroup.cl"{
        type master;
        file "legalpublishinggroup.zone";
        notify yes;
};
zone "legalpublishingnetherlands.cl"{
        type master;
        file "legalpublishingnetherlands.zone";
        notify yes;
};

zone "legalpublishingroup.cl"{
        type master;
        file "legalpublishingroup.zone";
        notify yes;
};

zone "edicionestecnicas.com"{
        type master;
        file "edicionestecnicas.com.zone";
        notify yes;
};

zone "editoriallegal.com"{
        type master;
        file "editoriallegal.com.zone";
        notify yes;
};

zone "legalpublishinggroup.com"{
        type master;
        file "legalpublishinggroup.com.zone";
        notify yes;
};

zone "legalp.cl"{
        type master;
        file "legalp.cl.zone";
        notify yes;
};

zone "arancel.cl"{
        type master;
        file "arancel.cl.zone";
        notify yes;
};

zone "boletinsii.cl"{
        type master;
        file "boletinsii.cl.zone";
        notify yes;
};

zone "centroventas.cl"{
        type master;
        file "centroventas.cl.zone";
        notify yes;
};

zone "conosur.cl"{
      type master;
      file "conosur.zone";
      notify yes;
};

zone "consultaslaborales.cl"{
      type master;
      file "consultaslaborales.cl.zone";
      notify yes;
};


zone "contabilidadytributaria.cl"{
      type master;
      file "contabilidadytributaria.cl.zone";
      notify yes;
};

zone "derechochileno.cl"{
      type master;
      file "derechochileno.cl.zone";
      notify yes;
};

zone "derecholaboral.cl"{
      type master;
      file "derecholaboral.cl.zone";
      notify yes;
};

zone "derechoonline.cl"{
      type master;
      file "derechoonline.cl.zone";
      notify yes;
};

zone "dictamenes.cl"{
      type master;
      file "dictamenes.cl.zone";
      notify yes;
};

zone "edicioneslp.cl"{
      type master;
      file "edicioneslp.cl.zone";
      notify yes;
};

zone "edicionestecnicaslaborales.cl"{
      type master;
      file "edicionestecnicaslaborales.cl.zone";
      notify yes;
};

zone "edicionestecnicastributarias.cl"{
      type master;
      file "edicionestecnicastributarias.cl.zone";
      notify yes;
};

zone "estudiodeabogado.cl"{
      type master;
      file "estudiodeabogado.cl.zone";
      notify yes;
};

zone "estudiosdeabogados.cl"{
      type master;
      file "estudiosdeabogados.cl.zone";
      notify yes;
};

zone "estudioslegales.cl"{
      type master;
      file "estudioslegales.cl.zone";
      notify yes;
};

zone "etl.cl"{
      type master;
      file "etl.cl.zone";
      notify yes;
};

zone "ettsa.cl"{
      type master;
      file "ettsa.zone";
      notify yes;
};

zone "hyperrenta.cl"{
      type master;
      file "hyperrenta.zone";
      notify yes;
};

zone "gacetajuridica.cl"{
      type master;
      file "gacetajuridica.zone";
      notify yes;
};

zone "hyper-renta.cl"{
      type master;
      file "hyper-renta.zone";
      notify yes;
};

zone "informacionjuridica.cl"{
      type master;
      file "informacionjuridica.zone";
      notify yes;
};

zone "jurisprudenciaaldia.cl"{
      type master;
      file "jurisprudenciaaldia.zone";
      notify yes;
};

zone "jurisprudenciaenlinea.cl"{
      type master;
      file "jurisprudenciaenlinea.zone";
      notify yes;
};

zone "jurisprudencialdia.cl"{
      type master;
      file "jurisprudencialdia.zone";
      notify yes;
};

zone "jurisprudenciaonline.cl"{
      type master;
      file "jurisprudenciaonline.zone";
      notify yes;
};

zone "jurisprudenciatributaria.cl"{
      type master;
      file "jurisprudenciatributaria.zone";
      notify yes;
};

zone "lasemanajuridica.cl"{
      type master;
      file "lasemanajuridica.zone";
      notify yes;
};

zone "0.0.127.in-addr.arpa"{
      type master;
      file "named.local";
};


zone "176.111.200.in-addr.arpa"{
      type master;
      file "176.111.200.in-addr.arpa";
        allow-update { none; };
};



key rndc-key {
      algorithm hmac-md5;
      secret "HbLmYrVUBcmQgQxHEQmYLQ==";
      };
controls {
      inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; };
      };

The file zone for the domain legalpublishing.cl is:
$ORIGIN legalpublishing.cl.
$ttl 3600
legalpublishing.cl.      IN      SOA      eros.legalpublishing.cl. postmaster.legalpublishing.cl. (
                  2011032601
                  3600
                  900
                  1209600
                  43200 )
legalpublishing.cl.      IN      NS      eros.legalpublishing.cl.
                        NS      secundario.nic.cl.
                  A      164.77.186.2
legalpublishing.cl.      3600      IN      MX      10 mail.legalpublishing.cl.
curso.legalpublishing.cl.      IN      A      164.77.186.7
elearning            A      164.77.186.7
eros                  A      164.77.186.2
estadisticas            A      190.151.57.18
marketing            A      190.151.57.19
intranetrrhh.legalpublishing.cl.      IN      A      164.77.186.11
lexnxt4                  A      192.168.5.69
lngscldvl01.legalpublishing.cl.      IN      A      164.77.186.5
lngsclweb01            A      190.151.57.18
lngsclweb02.legalpublishing.cl.      IN      A      164.77.186.4
mail.legalpublishing.cl.      IN      A       164.77.186.10      
mail.legalpublishing.cl.      3600      IN      MX      10 mail
ns                  A      164.77.186.2
productos            A      190.151.57.18
productos2            A      164.77.186.4
saad.legalpublishing.cl.      IN      A      164.77.186.9
seminario            A      164.77.186.7
servicios             A      190.151.57.18
streaming            A      164.77.186.7
training.legalpublishing.cl.      IN      A      164.77.186.6
ts.legalpublishing.cl.      IN      A      164.77.186.8
video                  A      164.77.186.7
www.legalpublishing.cl.      IN      A      190.151.57.18
bo                      A       190.151.57.18
bo2                     A       164.77.186.4
www2                    A       164.77.186.4
servicios2              A       164.77.186.4
dj2010                  A       190.151.57.18
dj2011                  A       190.151.57.18
bo99                    A       164.77.186.5
www99                   A       164.77.186.5
productos99             A       164.77.186.5
servicios99             A       164.77.186.5
www1                    A       164.77.186.3
www3                    A       190.151.57.19
productos1              A       164.77.186.3
servicios3              A       190.151.57.19
bo3                     A       190.151.57.19
productos3              A       190.151.57.19
servicios1              A       164.77.186.3
bo1                     A       164.77.186.3
sip                     A       200.73.52.12
conference              A       164.77.186.12

164.77.186.10.legalpublishing.cl.      IN      PTR      mail.legalpublishing.cl


How can I fix this? or I let working in this way, what can be a real damage?

Thanks

Jose Luis


0
josepalacios
Asked:
josepalacios
1 Solution
 
Chris DentPowerShell DeveloperCommented:
Hi Jose,

What it means:

It means I could lookup names, other than those your server is directly responsible for, using your server.

e.g.

nslookup www.google.com 1.2.3.4

Where 1.2.3.4 would be replaced with the IP of your server.

How bad is it? How bad depends on what you expect your server to do.

If your servers job is to sit there and answer requests about the zones you have configured and nothing else it's a hole that probably shouldn't be there. It opens you up to the possibility of certain types of attack, mostly of the DDOS (Distributed Denial of Service) variety.

Realistically you only want to allow your server to process recursive requests if it's acting as a resolver. And even then, it should only globally answer if you are providing that service to the public (with all the capacity planning, and risk analysis that entails).

How can you fix it?

You have two choices. Adding this to the "options" section of named.conf will turn off recursion entirely:
allow-recursion { "none"; };
recursion no;

Open in new window

I suggest you add these two as well, for peace of mind:
version "private";
allow-transfer { "none"; };

Open in new window

The first stops people asking about the version of BIND you're running. The second explicitly stops transfers, unless overridden on the zone level. The second shouldn't be necessary, it's peace of mind, that's all.

If you still need to allow recursion for a specific group of clients the statement above is modified (but still in options). For example, we might allow a single private network:
allow-recursion { 192.168.0.0/24; };

Open in new window

If you do that, you should remove the "recursion no" command, and lock down the cache:
allow-query-cache { 192.168.0.0/24; };

Open in new window

HTH

Chris
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now