Escolar Documentos
Profissional Documentos
Cultura Documentos
DNS open recursion service can be used to conduct malicious attacks on a network. This can
occur when the default setting for DNS services is not adjusted upon installation. When used
maliciously, the service can send Distributed Denial of Service (DDoS) attacks by a third party
with malicious intentions. This can be prevented by adjusting your DNS settings. Choose your
operating system (Windows or Linux) and follow the instructions below:
Windows
Then rename the 'root hints cache file' to prevent reference to the root zones being used for DNS
amplification attacks:
Plesk
Linux
Edit the file /etc/named.conf and change the below variables in the "options{" section to secure
your DNS service:
version "unknown";
allow-transfer {none;};
allow-recursion {none;};
allow-query-cache {none;}; // for BIND 9.4+
recursion no;
additional-from-cache no;
Once these modifications are complete, you must restart the DNS service.
If you must use DNS recursion to provide service to your customers, iWeb requires that you
restrict the usage scope to localhost, localnets, and/or your customers IP ranges.
Windows servers running DNS open recursion can use Windows firewall to limit access to
DNS service and prevent from being exploited.
2) From the Start menu, click Run, and enter the following command:
notepad "%plesk_dir%dns\etc\named.user.conf"
4) Save and close the file. The options settings will looks like:
5) Restart "named" service. From the Start menu, as administrator, click Run and run "cmd",
then type the following command in the command prompt:
Other BIND advanced settings under Linux (allowing localhost, localnets and specific IPs)
acl "trusted"{
192.168.0.0/16; // change IPs as required
xx.15.128.0/19; // change IPs as required
localhost;
localnets;
};
options{
...
allow-query { trusted; }; // trusted could be replaced by any only if necessary
allow-transfer { trusted; };
allow-recursion { trusted;} ;
allow-query-cache { trusted; }; // for BIND 9.4+
additional-from-cache no;
...
};
----------------------