What does it mean?
An open dns server is a dns server that responds to queries that it shouldn't. Normally authoritative dns servers only respond to the zones they are in charge of. For instance, our sagonet.com servers will give you answers to sagonet.com:
$ #This is me asking ns1.sagonet.com about sagonet.com $ host sagonet.com ns1.sagonet.com sagonet.com has address 65.110.32.145
However they will not tell you about google.com:
$ #ns1.sagonet.com doesn't tell you about google.com, and it shouldn't $ host google.com ns1.sagonet.com google.com A record currently not present at ns1.sagonet.com
And neither should yours! (Unless you are specifically running a caching server)
Closing Open DNS Servers with BIND
1) Login to your server and su to root.
2) Edit the /etc/named.conf file such as:# vi /etc/named.conf
Look for:
key "rndckey" { };
After this add the following, replacing mainIP and secondaryIP with your systems nameservers.
acl "trusted" { mainIP;secondaryIP;127.0.0.1; };
3) After that’s done you want to add the section that says only the trusted is allowed for certain functions. Check your options area and make sure you add the following:
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };
So the final result looks something like:
options {
directory "/var/named";
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};
4) Save the changes and restart the named service: service named restart
5) Recheck your site at dnsreport.com, you should be good!
