Solved

Open Recursive Resolver - CentOS 5

Posted on 2014-04-01
5
807 Views
Last Modified: 2014-08-13
Hi,

I hope someone can help?

I have been left with a Linux server that is hosted externally and has been exploited. The hosting company have notified me that this server has been powered off due to its condition and the fact that it violates their 'abuse policy'.

I have included, below, the reason for the issue that has caused the power off. I am not very well versed in Linux (in fact my level of knowledge is very basic).

I have been told that that I need to rectify the problem and will be given a 30 minute window to resolve the issue. If it is resolved successfully then the server will be left powered on. If not it will be turned off again.

I have the ability to ssh onto the server as 'root' but what i need to know is really how I can switch off the 'recursive resolver' or how I can limit it so that it doesn't perform global requests etc.

The server is hosting a basic (static) website that needs to be back up and running as soon as possible.

I am not sure what the server is using for DNS - probably BIND (only because it used to be the 'defacto DNS service on Linux) but will not know that until I get them to switch the server on.

Please could someone advise me as to what I need to do to locate and fix the issue.

The operating System installed on the server is CentOS 5

The hosting company will not offer any technical support and the person who set up and previously maintained the server is no longer around.

Info from the hosting company abuse report:
You appear to be running an open recursive resolver at IP address *.*.*.* that participated in an attack against a customer of ours today, generating large UDP responses to spoofed queries, with those responses fragmented on the wire.

Please consider reconfiguring your resolver in one or more of these ways:

- To only serve your customers and not respond to outside IP addresses (to not be an open resolver)
- To only serve domains that it is authoritative for (to not work as a recursive resolver)
- To rate-limit responses to individual source IP addresses (DNS Response Rate Limiting, or DNS RRL)

Thanks!
0
Comment
Question by:RoboTiger
  • 3
  • 2
5 Comments
 
LVL 61

Expert Comment

by:gheist
ID: 39969921
allow-recursive {127.0.0.1;};
0
 

Author Comment

by:RoboTiger
ID: 39970028
Thank you for your response gheist.

As I said I am a novice to Linux and really wouldn't know where or how to make this change.

Is it something I can just enter from the command line as root, if so does it update any previous settings for 'recursive?'
0
 
LVL 61

Accepted Solution

by:
gheist earned 500 total points
ID: 39970207
You have to change file /etc/named.conf
# nano -w /etc/named.conf

inside options { HERE }

you need to restrict recursive access like before

i.e
allow-recursion {127.0.0.1;X.Y.Z.0/24;};

Watch the semicolons (X.Y.Z would be placeholder if your office PCs use this DNS server)

then run
# named-checkconf -z

Once that says you sonfiguration is OK

# service named restart


now check from other system (home PC is good)

nslookup @ip_of_your_dns www.google.co.nz

any result is bad
0
 

Author Comment

by:RoboTiger
ID: 39970473
Thank you for this...

I will try this in the next few days and get back.

Thanks again :)
0
 
LVL 61

Expert Comment

by:gheist
ID: 39970501
You can ask reporter saying you are not familiar with this server, that you think you fixed, if they can check if you did...
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There is a security feature on iOS devices that is nearly impenetrable when it has been activated.  This article will provide some possible solutions as well as necessary steps to take to ensure you do not end up with a locked device.
Fine Tune your automatic Updates for Ubuntu / Debian
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now