When a domain entered in dnsreport.com it shows following error related to Open DNS servers.

ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn’t happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are:

Server xxx.xxx.xxx.x reports that it will do recursive lookups. [test]
Server xxx.xxx.xxx.x reports that it will do recursive lookups. [test]

The open dns issue can be resolved by editing /etc/named.conf on the server & by adding “recursion no;” to this file.

include “/etc/rndc.key”;

controls {
inet 127.0.0.1 allow { localhost; } keys { “rndckey”; };
};

//
// named.conf for Red Hat caching-nameserver
//

options {
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
recursion no;
};

Related Posts:

• No Related Posts