Bind recursion on by default, can be used for ddos attacks!

Bind recursion on by default, can be used for ddos attacks!

This thread is more a notice to people to check there dns server.

As you might have noticed, or heard a lot of Ddos attacks these days are done by using dns. If you want to check if your server is vulnerable, use this url: https://isc.sans.edu/dnstest.html

By default DirectAdmin allows recursion to everyone around the world wich leads into botnets abusing your dns servers by spoofing ip’s and sending dns requests to your server.

For more info take a look at these links:

http://www.secureworks.com/research/…amplification/
http://isc.sans.org/diary.html?storyid=5713
http://www.isotf.org/news/DNS-Amplification-Attacks.pdf
https://www.dns-oarc.net/oarc/articl…idered-harmful

When using DirectAdmin and no other servers use this as a dns resolver, put this in your /etc/bind/named.conf.options

allow-recursion {
127.0.0.1;
};

This will allow the localhost to do dns lookups using your server, everything else is denied.

I noticed the latest bind versions don’t do this by default, can someone confirm this?

Kr,
Bram

Comments are closed.