Open Recursive Resolver - CentOS 5
Posted on 2014-04-01
I hope someone can help?
I have been left with a Linux server that is hosted externally and has been exploited. The hosting company have notified me that this server has been powered off due to its condition and the fact that it violates their 'abuse policy'.
I have included, below, the reason for the issue that has caused the power off. I am not very well versed in Linux (in fact my level of knowledge is very basic).
I have been told that that I need to rectify the problem and will be given a 30 minute window to resolve the issue. If it is resolved successfully then the server will be left powered on. If not it will be turned off again.
I have the ability to ssh onto the server as 'root' but what i need to know is really how I can switch off the 'recursive resolver' or how I can limit it so that it doesn't perform global requests etc.
The server is hosting a basic (static) website that needs to be back up and running as soon as possible.
I am not sure what the server is using for DNS - probably BIND (only because it used to be the 'defacto DNS service on Linux) but will not know that until I get them to switch the server on.
Please could someone advise me as to what I need to do to locate and fix the issue.
The operating System installed on the server is CentOS 5
The hosting company will not offer any technical support and the person who set up and previously maintained the server is no longer around.
Info from the hosting company abuse report:
You appear to be running an open recursive resolver at IP address *.*.*.* that participated in an attack against a customer of ours today, generating large UDP responses to spoofed queries, with those responses fragmented on the wire.
Please consider reconfiguring your resolver in one or more of these ways:
- To only serve your customers and not respond to outside IP addresses (to not be an open resolver)
- To only serve domains that it is authoritative for (to not work as a recursive resolver)
- To rate-limit responses to individual source IP addresses (DNS Response Rate Limiting, or DNS RRL)