Open Recursive Resolver - CentOS 5


I hope someone can help?

I have been left with a Linux server that is hosted externally and has been exploited. The hosting company have notified me that this server has been powered off due to its condition and the fact that it violates their 'abuse policy'.

I have included, below, the reason for the issue that has caused the power off. I am not very well versed in Linux (in fact my level of knowledge is very basic).

I have been told that that I need to rectify the problem and will be given a 30 minute window to resolve the issue. If it is resolved successfully then the server will be left powered on. If not it will be turned off again.

I have the ability to ssh onto the server as 'root' but what i need to know is really how I can switch off the 'recursive resolver' or how I can limit it so that it doesn't perform global requests etc.

The server is hosting a basic (static) website that needs to be back up and running as soon as possible.

I am not sure what the server is using for DNS - probably BIND (only because it used to be the 'defacto DNS service on Linux) but will not know that until I get them to switch the server on.

Please could someone advise me as to what I need to do to locate and fix the issue.

The operating System installed on the server is CentOS 5

The hosting company will not offer any technical support and the person who set up and previously maintained the server is no longer around.

Info from the hosting company abuse report:
You appear to be running an open recursive resolver at IP address *.*.*.* that participated in an attack against a customer of ours today, generating large UDP responses to spoofed queries, with those responses fragmented on the wire.

Please consider reconfiguring your resolver in one or more of these ways:

- To only serve your customers and not respond to outside IP addresses (to not be an open resolver)
- To only serve domains that it is authoritative for (to not work as a recursive resolver)
- To rate-limit responses to individual source IP addresses (DNS Response Rate Limiting, or DNS RRL)

Who is Participating?
gheistConnect With a Mentor Commented:
You have to change file /etc/named.conf
# nano -w /etc/named.conf

inside options { HERE }

you need to restrict recursive access like before

allow-recursion {;X.Y.Z.0/24;};

Watch the semicolons (X.Y.Z would be placeholder if your office PCs use this DNS server)

then run
# named-checkconf -z

Once that says you sonfiguration is OK

# service named restart

now check from other system (home PC is good)

nslookup @ip_of_your_dns

any result is bad
allow-recursive {;};
RoboTigerAuthor Commented:
Thank you for your response gheist.

As I said I am a novice to Linux and really wouldn't know where or how to make this change.

Is it something I can just enter from the command line as root, if so does it update any previous settings for 'recursive?'
RoboTigerAuthor Commented:
Thank you for this...

I will try this in the next few days and get back.

Thanks again :)
You can ask reporter saying you are not familiar with this server, that you think you fixed, if they can check if you did...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.