Solved

Open Recursive Resolver - CentOS 5

Posted on 2014-04-01
5
803 Views
Last Modified: 2014-08-13
Hi,

I hope someone can help?

I have been left with a Linux server that is hosted externally and has been exploited. The hosting company have notified me that this server has been powered off due to its condition and the fact that it violates their 'abuse policy'.

I have included, below, the reason for the issue that has caused the power off. I am not very well versed in Linux (in fact my level of knowledge is very basic).

I have been told that that I need to rectify the problem and will be given a 30 minute window to resolve the issue. If it is resolved successfully then the server will be left powered on. If not it will be turned off again.

I have the ability to ssh onto the server as 'root' but what i need to know is really how I can switch off the 'recursive resolver' or how I can limit it so that it doesn't perform global requests etc.

The server is hosting a basic (static) website that needs to be back up and running as soon as possible.

I am not sure what the server is using for DNS - probably BIND (only because it used to be the 'defacto DNS service on Linux) but will not know that until I get them to switch the server on.

Please could someone advise me as to what I need to do to locate and fix the issue.

The operating System installed on the server is CentOS 5

The hosting company will not offer any technical support and the person who set up and previously maintained the server is no longer around.

Info from the hosting company abuse report:
You appear to be running an open recursive resolver at IP address *.*.*.* that participated in an attack against a customer of ours today, generating large UDP responses to spoofed queries, with those responses fragmented on the wire.

Please consider reconfiguring your resolver in one or more of these ways:

- To only serve your customers and not respond to outside IP addresses (to not be an open resolver)
- To only serve domains that it is authoritative for (to not work as a recursive resolver)
- To rate-limit responses to individual source IP addresses (DNS Response Rate Limiting, or DNS RRL)

Thanks!
0
Comment
Question by:RoboTiger
  • 3
  • 2
5 Comments
 
LVL 61

Expert Comment

by:gheist
ID: 39969921
allow-recursive {127.0.0.1;};
0
 

Author Comment

by:RoboTiger
ID: 39970028
Thank you for your response gheist.

As I said I am a novice to Linux and really wouldn't know where or how to make this change.

Is it something I can just enter from the command line as root, if so does it update any previous settings for 'recursive?'
0
 
LVL 61

Accepted Solution

by:
gheist earned 500 total points
ID: 39970207
You have to change file /etc/named.conf
# nano -w /etc/named.conf

inside options { HERE }

you need to restrict recursive access like before

i.e
allow-recursion {127.0.0.1;X.Y.Z.0/24;};

Watch the semicolons (X.Y.Z would be placeholder if your office PCs use this DNS server)

then run
# named-checkconf -z

Once that says you sonfiguration is OK

# service named restart


now check from other system (home PC is good)

nslookup @ip_of_your_dns www.google.co.nz

any result is bad
0
 

Author Comment

by:RoboTiger
ID: 39970473
Thank you for this...

I will try this in the next few days and get back.

Thanks again :)
0
 
LVL 61

Expert Comment

by:gheist
ID: 39970501
You can ask reporter saying you are not familiar with this server, that you think you fixed, if they can check if you did...
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now