How to Disable External DNS recursion

Discussion in 'Tutorials and Guides' started by TruvisT, May 31, 2013.

  1. TruvisT

    TruvisT Server Management Specialist Verified Provider

    398
    144
    May 16, 2013
    This I know plagues a lot of default CPanel setups and can fill your syslog up fast and waste system resources, so this is one way to end it.
     
    Note: There are many ways to do this, but it comes down to how your DNS is setup, but this works in most cases.
     
     
     

    Tired of your DNS servers being hit by hacked DNS servers? Add the following under options:


    recursion no;
    additional-from-auth no;
    additional-from-cache no;
    This is a CPanel example:


    view "external" {
    /* This view will contain zones you want to serve only to "external" clients
    * that have addresses that are not on your directly attached LAN interface subnets:
    */
    recursion no;
    additional-from-auth no;
    additional-from-cache no;
    Example 2:


    // global options apply to external clients
    options {
    recursion no;
    additional-from-auth no;
    additional-from-cache no;
    };
    view "local" in {
    // view options enable recursion only for local clients
    match-clients { 172.16.45.80/23; 192.168.12.0/24; 127.0.0.1/8; ::1; };
    recursion yes;
    additional-from-auth yes;
    additional-from-cache yes;
    zone "." in {
    type hint;
    file "/etc/bind/db.root";
    };
    // put definitions for zones like "localhost" and "127.in-addr.arpa" here
    }
    // put definitions for real authoritative zones here.
    SRC: http://blog.solidshellsecurity.com/2013/05/30/disable-external-dns-recursion-view-external-query-cache-domain-comain-denied/
     
    Last edited by a moderator: Jun 1, 2013
    JasonAnderson likes this.
  2. ftpit

    ftpit New Member

    1
    0
    May 31, 2013
    Great travis :)
     
  3. TruvisT

    TruvisT Server Management Specialist Verified Provider

    398
    144
    May 16, 2013
    Thanks.

    Going to throw this in as well:


    iptables -A INPUT -p udp --dport 53 --set --name dnslimit
    iptables -A INPUT -p udp --dport 53 -m recent --update --seconds 60 --hitcount 11 --name dnslimit -j DROP
    That can be edited as required to drop attacks on 53.
     
    JasonAnderson likes this.