[ale] cacheing DNS?

Michael H. Warfield mhw at WittsEnd.com
Wed May 9 16:02:50 EDT 2012


On Wed, 2012-05-09 at 12:22 -0500, John Heim wrote:
> From: "Leam Hall" <leamhall at gmail.com>
> To: "Atlanta Linux Enthusiasts" <ale at ale.org>
> Sent: Tuesday, May 08, 2012 5:00 PM
> Subject: Re: [ale] cacheing DNS?


> > On 05/08/2012 05:46 PM, John Heim wrote:
> >> I'm confused about caching DNS and recursion. I keep reading that best
> >> practice is to not use the same dns servers for the machines on your LAN 
> >> as
> >> you do for those outside your LAN. So if I'm the admin of example.org and 
> >> if
> >> I want redundant DNS servers for both internal and external queries, do I
> >> have to run four DNS servers?  Do people really do that?
> >>
> >
> > Hey John,
> >
> > I think the normal process is to have your DNS servers also cache
> > external info.

Caching and recursion are two orthogonal issues.  Don't mix them up.  An
open resolver is referring to recursion.

> That's what I'm doing. But I got a message that says I'm running an open 
> resolver.  If I really am running an open resolver, I don't want to publish 
> the IP address here.  So I changed its IP in the text below. But the text 
> below shows that if I'm outside our own LAN and if I direct a lookup at my 
> DNS server, it refuses to answer.  Yet, 
> http://dns.measurement-factory.com/cgi-bin/openresolvercheck.pl says I'm 
> running an open resolver.

If your server truly is an open resolver then those that would want to
know (that you DON'T want to know) already know.  :-P

> $ host lambeau.. 11.22.33.44
> Using domain server:
> Name: 11.22.33.44
> Address: 11.22.33.44#53
> Aliases:

> Host lambeau.johnheim.net not found: 5(REFUSED)

I'm not totally sure I would trust the host command for testing this.  I
would probably use dig and a variety of tests.  The openresolvercheck
site is looking to see if your server is sending a packet to their
server when they make a very specific test request.  It's possible too,
that they could have sent a spoofed back to your server to test it.
Maybe spoof the UDP request to look like it's from the address of your
server itself.  Then it recusively sends a resolution request over to
them and rings the bell.

> So apparently, I don't understand what an open resolver is.  It does not 
> look as if you can use my DNS server to do an external lookup from outside. 
> It works from inside, on our own LAN, of course.

It's not about if someone can do an external lookup.  The real concern
is if they can trick your server into recursively forwarding requests to
other servers which could then be exploited to launch DDoS attacks.
It's a kind of a complicated process, actually.  If you COULD do a
foreign lookup through your server, that would be a positive indication
that you ARE running an open resolver but the appearance that you can't
is, unfortunately not proof positive that you aren't.

> I understand that if you're on hacker.net,  you shouldn't be able to direct 
> a name lookup for example.com to a server at bogus.org. But according to my 
> results posted above, you can't do that. So why then is my DNS server 
> regarded as "open"?

Because they sent a test packet to your name server and it recursively
queried their name server sending them a packet.  What, exactly, was in
that request, I don't know.  I just tested my name server and it said it
was closed, as it should.

What name server software are you using and, if it's "bind" what is the
setting for "allow-recursion"?

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20120509/bb4cad6e/attachment-0001.bin 


More information about the Ale mailing list