Recursive queries DNS

Dear consultors, actually I am checking the DNS and I have a warning about recursive queries to my DNS legalpublishing.cl, how really bad it's this warming because I have been che

here is my named.conf

options {
      directory "/var/named";
};
zone "." {
      type hint;
      file "named.ca";
};

zone "abeledoperrot.cl"{
        type master;
        file "abeledoperrot.zone";
        notify yes;
};

zone "intelecta.cl"{
      type master;
      file "intelecta.zone";
      notify yes;
};
zone "jurinet.cl"{
      type master;
      file "jurinet.zone";
      notify yes;
};

zone "normatec.cl"{
      type master;
      file "normatec.zone";
      notify yes;
};
zone "proman.cl"{
      type master;
      file "proman.zone";
      notify yes;
};
zone "publitecsa.cl"{
      type master;
      file "publitecsa.zone";
      notify yes;
};
zone "semanajuridica.cl"{
      type master;
      file "semanajuridica.zone";
      notify yes;
};
zone "rentafacil.cl"{
        type master;
        file "rentafacil.zone";
        notify yes;
};
zone "legalpublishing.cl"{
        type master;
        file "legalpublishing.zone";
      notify yes;
};
zone "legalpublishingchile.cl"{
        type master;
        file "legalpublishingchile.zone";
        notify yes;
};
zone "legalpublishinggroup.cl"{
        type master;
        file "legalpublishinggroup.zone";
        notify yes;
};
zone "legalpublishingnetherlands.cl"{
        type master;
        file "legalpublishingnetherlands.zone";
        notify yes;
};

zone "legalpublishingroup.cl"{
        type master;
        file "legalpublishingroup.zone";
        notify yes;
};

zone "edicionestecnicas.com"{
        type master;
        file "edicionestecnicas.com.zone";
        notify yes;
};

zone "editoriallegal.com"{
        type master;
        file "editoriallegal.com.zone";
        notify yes;
};

zone "legalpublishinggroup.com"{
        type master;
        file "legalpublishinggroup.com.zone";
        notify yes;
};

zone "legalp.cl"{
        type master;
        file "legalp.cl.zone";
        notify yes;
};

zone "arancel.cl"{
        type master;
        file "arancel.cl.zone";
        notify yes;
};

zone "boletinsii.cl"{
        type master;
        file "boletinsii.cl.zone";
        notify yes;
};

zone "centroventas.cl"{
        type master;
        file "centroventas.cl.zone";
        notify yes;
};

zone "conosur.cl"{
      type master;
      file "conosur.zone";
      notify yes;
};

zone "consultaslaborales.cl"{
      type master;
      file "consultaslaborales.cl.zone";
      notify yes;
};


zone "contabilidadytributaria.cl"{
      type master;
      file "contabilidadytributaria.cl.zone";
      notify yes;
};

zone "derechochileno.cl"{
      type master;
      file "derechochileno.cl.zone";
      notify yes;
};

zone "derecholaboral.cl"{
      type master;
      file "derecholaboral.cl.zone";
      notify yes;
};

zone "derechoonline.cl"{
      type master;
      file "derechoonline.cl.zone";
      notify yes;
};

zone "dictamenes.cl"{
      type master;
      file "dictamenes.cl.zone";
      notify yes;
};

zone "edicioneslp.cl"{
      type master;
      file "edicioneslp.cl.zone";
      notify yes;
};

zone "edicionestecnicaslaborales.cl"{
      type master;
      file "edicionestecnicaslaborales.cl.zone";
      notify yes;
};

zone "edicionestecnicastributarias.cl"{
      type master;
      file "edicionestecnicastributarias.cl.zone";
      notify yes;
};

zone "estudiodeabogado.cl"{
      type master;
      file "estudiodeabogado.cl.zone";
      notify yes;
};

zone "estudiosdeabogados.cl"{
      type master;
      file "estudiosdeabogados.cl.zone";
      notify yes;
};

zone "estudioslegales.cl"{
      type master;
      file "estudioslegales.cl.zone";
      notify yes;
};

zone "etl.cl"{
      type master;
      file "etl.cl.zone";
      notify yes;
};

zone "ettsa.cl"{
      type master;
      file "ettsa.zone";
      notify yes;
};

zone "hyperrenta.cl"{
      type master;
      file "hyperrenta.zone";
      notify yes;
};

zone "gacetajuridica.cl"{
      type master;
      file "gacetajuridica.zone";
      notify yes;
};

zone "hyper-renta.cl"{
      type master;
      file "hyper-renta.zone";
      notify yes;
};

zone "informacionjuridica.cl"{
      type master;
      file "informacionjuridica.zone";
      notify yes;
};

zone "jurisprudenciaaldia.cl"{
      type master;
      file "jurisprudenciaaldia.zone";
      notify yes;
};

zone "jurisprudenciaenlinea.cl"{
      type master;
      file "jurisprudenciaenlinea.zone";
      notify yes;
};

zone "jurisprudencialdia.cl"{
      type master;
      file "jurisprudencialdia.zone";
      notify yes;
};

zone "jurisprudenciaonline.cl"{
      type master;
      file "jurisprudenciaonline.zone";
      notify yes;
};

zone "jurisprudenciatributaria.cl"{
      type master;
      file "jurisprudenciatributaria.zone";
      notify yes;
};

zone "lasemanajuridica.cl"{
      type master;
      file "lasemanajuridica.zone";
      notify yes;
};

zone "0.0.127.in-addr.arpa"{
      type master;
      file "named.local";
};


zone "176.111.200.in-addr.arpa"{
      type master;
      file "176.111.200.in-addr.arpa";
        allow-update { none; };
};



key rndc-key {
      algorithm hmac-md5;
      secret "HbLmYrVUBcmQgQxHEQmYLQ==";
      };
controls {
      inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; };
      };

The file zone for the domain legalpublishing.cl is:
$ORIGIN legalpublishing.cl.
$ttl 3600
legalpublishing.cl.      IN      SOA      eros.legalpublishing.cl. postmaster.legalpublishing.cl. (
                  2011032601
                  3600
                  900
                  1209600
                  43200 )
legalpublishing.cl.      IN      NS      eros.legalpublishing.cl.
                        NS      secundario.nic.cl.
                  A      164.77.186.2
legalpublishing.cl.      3600      IN      MX      10 mail.legalpublishing.cl.
curso.legalpublishing.cl.      IN      A      164.77.186.7
elearning            A      164.77.186.7
eros                  A      164.77.186.2
estadisticas            A      190.151.57.18
marketing            A      190.151.57.19
intranetrrhh.legalpublishing.cl.      IN      A      164.77.186.11
lexnxt4                  A      192.168.5.69
lngscldvl01.legalpublishing.cl.      IN      A      164.77.186.5
lngsclweb01            A      190.151.57.18
lngsclweb02.legalpublishing.cl.      IN      A      164.77.186.4
mail.legalpublishing.cl.      IN      A       164.77.186.10      
mail.legalpublishing.cl.      3600      IN      MX      10 mail
ns                  A      164.77.186.2
productos            A      190.151.57.18
productos2            A      164.77.186.4
saad.legalpublishing.cl.      IN      A      164.77.186.9
seminario            A      164.77.186.7
servicios             A      190.151.57.18
streaming            A      164.77.186.7
training.legalpublishing.cl.      IN      A      164.77.186.6
ts.legalpublishing.cl.      IN      A      164.77.186.8
video                  A      164.77.186.7
www.legalpublishing.cl.      IN      A      190.151.57.18
bo                      A       190.151.57.18
bo2                     A       164.77.186.4
www2                    A       164.77.186.4
servicios2              A       164.77.186.4
dj2010                  A       190.151.57.18
dj2011                  A       190.151.57.18
bo99                    A       164.77.186.5
www99                   A       164.77.186.5
productos99             A       164.77.186.5
servicios99             A       164.77.186.5
www1                    A       164.77.186.3
www3                    A       190.151.57.19
productos1              A       164.77.186.3
servicios3              A       190.151.57.19
bo3                     A       190.151.57.19
productos3              A       190.151.57.19
servicios1              A       164.77.186.3
bo1                     A       164.77.186.3
sip                     A       200.73.52.12
conference              A       164.77.186.12

164.77.186.10.legalpublishing.cl.      IN      PTR      mail.legalpublishing.cl


How can I fix this? or I let working in this way, what can be a real damage?

Thanks

Jose Luis


josepalaciosAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris DentPowerShell DeveloperCommented:
Hi Jose,

What it means:

It means I could lookup names, other than those your server is directly responsible for, using your server.

e.g.

nslookup www.google.com 1.2.3.4

Where 1.2.3.4 would be replaced with the IP of your server.

How bad is it? How bad depends on what you expect your server to do.

If your servers job is to sit there and answer requests about the zones you have configured and nothing else it's a hole that probably shouldn't be there. It opens you up to the possibility of certain types of attack, mostly of the DDOS (Distributed Denial of Service) variety.

Realistically you only want to allow your server to process recursive requests if it's acting as a resolver. And even then, it should only globally answer if you are providing that service to the public (with all the capacity planning, and risk analysis that entails).

How can you fix it?

You have two choices. Adding this to the "options" section of named.conf will turn off recursion entirely:
allow-recursion { "none"; };
recursion no;

Open in new window

I suggest you add these two as well, for peace of mind:
version "private";
allow-transfer { "none"; };

Open in new window

The first stops people asking about the version of BIND you're running. The second explicitly stops transfers, unless overridden on the zone level. The second shouldn't be necessary, it's peace of mind, that's all.

If you still need to allow recursion for a specific group of clients the statement above is modified (but still in options). For example, we might allow a single private network:
allow-recursion { 192.168.0.0/24; };

Open in new window

If you do that, you should remove the "recursion no" command, and lock down the cache:
allow-query-cache { 192.168.0.0/24; };

Open in new window

HTH

Chris
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.