DNSstuff reports open DNS

Remco Rijnders remco at webconquest.com
Sat Jun 21 05:37:18 EDT 2008 

Op 21 jun 2008, om 02:12 heeft Lloyd Thomas het volgende geschreven:

>                I am testing out maraDNS on my windows box to replace
> SimpleDNS. I think I am having a problem with my setup of maraDNS
> advertising itself as an open DNS server. I am using dnsstuff.com to  
> test
> the server. The full text of the problem is below. Any help  
> appreciated.
>
> ----------------------------------------
> ERROR: One or more of your nameservers reports that it is an open DNS
> server. This usually means that anyone in the world can query it for  
> domains
> it is not authoritative for (it is possible that the DNS server  
> advertises
> that it does recursive lookups when it does not, but that shouldn't  
> happen).
> This can cause an excessive load on your DNS server. Also, it is  
> strongly
> discouraged to have a DNS server be both authoritative for your  
> domain and
> be recursive (even if it is not open), due to the potential for cache
> poisoning (with no recursion, there is no cache, and it is  
> impossible to
> poison it). Also, the bad guys could use your DNS server as part of an
> attack, by forging their IP address. Problem record(s) are:
> -------------------------------------------------

Hi Lloyd,

In this case it looks like you've set maradns up as both a recursive  
resolver (able to resolve DNS for zones you are not authorative for)  
as well as being an authorative server (since you're using  
dnsstuff.com to test your server). Is this correct and what you intend  
to do?

If you want to use maradns to look up addresses but restrict it to a  
certain (set) of IP addresses, you can do something like this in your  
mararc file:

ipv4_alias = {}
ipv4_alias["localhost"] = "127.0.0.0/8"
recursive_acl = "localhost"
This will tell mara to only resolve recursively queries coming from  
your local computer.

Please see http://www.maradns.org/tutorial/man.mararc.html for more  
information on how to set this up.

> I also have a problem with the following error report as well
>
> ----------------------------------------------
> WARNING: One or more of your DNS servers does not accept TCP  
> connections.
> Although rarely used, TCP connections are occasionally used instead  
> of UDP
> connections. When firewalls block the TCP DNS connections, it can  
> cause
> hard-to-diagnose problems. The problem servers are:
>
> 85.234.142.68: Error [Connection refused (10061)]
> ----------------------------------------------------

This is not an error but a warning, and one that can safely be ignored  
at that. Maradns doesn't use TCP but only UDP for its normal use. Only  
when you are running the zoneserver will that bind to the TCP port.  
DNS should work fine as it is for you even with this warning present.

Kind regards,

Remco

More information about the list mailing list