Resolve DNS Misconfiguration abuse complaint

user1086010 asked:

Today i received a abuse complaint about my dns server.

Translation courtesy of Froggiz

Hi,

The CERT-FR has been informed by one of his partner that one or more domain name server (DNS) below aren’t validating the IP source of the transfert protocol of “zone AXFR”

ID,Domain,Name server,IP address,Country 329872,mydomain.com,ns1.mydomain.com.,101.51.251.156,FR 329872,mydomain.com,ns2.mydomain.com.,101.51.251.156,FR

Consequently, anyone is able to get the whole DNS records and hosted domain on this DNS.

You can find more informations and help in the following link: http://www.cert.ssi.gouv.fr/site/CERTA-2012-ACT-048/CERTA-2012-ACT-048.html

It is your responsibility to check the veracity of this information and take appropriate corrective measures

The CERT-FR stands at your disposal for more informations or advices

here is the complaint , its french!

Bonjour,
Le CERT-FR a été informé par l'un de ses partenaires que le ou les
serveurs de noms (DNS) ci-dessous n'effectuent pas de validation de
l'adresse IP source lors de l'utilisation du protocole de transfert de
zone AXFR :
ID,Domain,Name server,IP address,Country
329872,mydomain.com,ns1.mydomain.com.,101.51.251.156,FR
329872,mydomain.com,ns2.mydomain.com.,101.51.251.156,FR
Par conséquent, n'importe qui est en capacité de récupérer l'intégralité
des informations DNS du ou des domaines hébergés sur ce ou ces serveurs
de noms.
Vous pourrez trouver des informations complémentaires à l'aide du lien
suivant :
http://www.cert.ssi.gouv.fr/site/CERTA-2012-ACT-048/CERTA-2012-ACT-048.html
Il vous revient de vérifier la véracité de cette information et de
prendre les mesures de correction adaptées.
Le CERT-FR se tient à votre disposition pour toute information ou
conseil complémentaires.
Cordialement,

On my server for DNS i am using Bind9:

here its the my bind configuration:

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
    listen-on port 53 { 127.0.0.1; 101.51.251.156;}; ### Master DNS IP ###
#    listen-on-v6 port 53 { ::1; };
    directory     "/var/named";
    dump-file     "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { any;}; ### IP Range ###
   // allow-recursion {"none";};
    //allow-transfer{ localhost; 101.51.251.156; };   ### Slave DNS IP ###

    /*
     - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
     - If you are building a RECURSIVE (caching) DNS server, you need to enable
       recursion.
     - If your recursive DNS server has a public IP address, you MUST enable access
       control to limit queries to your legitimate users. Failing to do so will
       cause your server to become part of large scale DNS amplification
       attacks. Implementing BCP38 within your network would greatly
       reduce such attack surface
    */
    recursion no;

    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";

    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
    type hint;
    file "named.ca";
};

zone "mydomain.com" IN {
type master;
file "mydomain.com.zone";
allow-update { none; };
};



include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

And my zone file :

$TTL 86400; 
@ IN SOA ns1.mydomain.com. admin.mydomain.com. (
            2010062801 ; Serial
            10800 ; Refresh 
            3600 ; Retry    
            604800 ; Expire
            86400 ; Minimum
)   

mydomain.com. IN NS ns1.mydomain.com.   
mydomain.com. IN  NS  ns2.mydomain.com.
mydomain.com.       IN A 101.51.251.156 
ns1.mydomain.com.   IN A 101.51.251.156 
ns2.mydomain.com.   IN A 101.51.251.156
www.mydomain.com.   IN A 101.51.251.156 
ftp.mydomain.com.   IN A 101.51.251.156
mail.mydomain.com.  IN A 101.51.251.156
*.mydomain.com.  IN A 101.51.251.156
mydomain.com.       IN MX 10 mail.mydomain.com.

I want know what i do wrong , and what should i do to resolve this issue

Thank in advance

My answer:


You’ve removed the allow-transfer directive from your configuration, thus anyone in the world can download your entire zone file.

Whether this is a problem depends on whether you have a need to keep this information private.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.