amuck-landowner

How to Disable External DNS recursion

TruvisT

Server Management Specialist
Verified Provider
This I know plagues a lot of default CPanel setups and can fill your syslog up fast and waste system resources, so this is one way to end it.
 
Note: There are many ways to do this, but it comes down to how your DNS is setup, but this works in most cases.
 
 
 

Tired of your DNS servers being hit by hacked DNS servers? Add the following under options:


recursion no;
additional-from-auth no;
additional-from-cache no;
This is a CPanel example:


view "external" {
/* This view will contain zones you want to serve only to "external" clients
* that have addresses that are not on your directly attached LAN interface subnets:
*/
recursion no;
additional-from-auth no;
additional-from-cache no;
Example 2:


// global options apply to external clients
options {
recursion no;
additional-from-auth no;
additional-from-cache no;
};
view "local" in {
// view options enable recursion only for local clients
match-clients { 172.16.45.80/23; 192.168.12.0/24; 127.0.0.1/8; ::1; };
recursion yes;
additional-from-auth yes;
additional-from-cache yes;
zone "." in {
type hint;
file "/etc/bind/db.root";
};
// put definitions for zones like "localhost" and "127.in-addr.arpa" here
}
// put definitions for real authoritative zones here.
SRC: http://blog.solidshellsecurity.com/2013/05/30/disable-external-dns-recursion-view-external-query-cache-domain-comain-denied/
 
Last edited by a moderator:

TruvisT

Server Management Specialist
Verified Provider
Great travis :)
Thanks.

Going to throw this in as well:


iptables -A INPUT -p udp --dport 53 --set --name dnslimit
iptables -A INPUT -p udp --dport 53 -m recent --update --seconds 60 --hitcount 11 --name dnslimit -j DROP
That can be edited as required to drop attacks on 53.
 
Top
amuck-landowner