I’ve a problem with my vps, today i’ve received an e-mail from the society that host that.
My vps is at risk of vulnerability, and the problem are the dns.
I’ve installed CentOS and webmin + virtualmin.
Can anyone help me to found the problem? I’ve low capabilities with server
Hmm, I’m not sure what the problem there might be.
Could you describe the issue in more detail, including what vulnerability you’re at risk of, and how they know that?
Maybe your DNS server is an open resolver that can be used in DNS amplification attacks? That’s my best guess. Like Eric said, we need more details about what your hosting company told you.
Your server is configured as a DNS resolver promiscuous, that responds to recursive DNS queries made by any IP.
They tell me that the problem of the name servers that are recursive. Complain of vulnerability to this type of attack DNS Amplification Attack
yes! this is precisely the problem
Yes, in that case your server is indeed “vulnerable” as in it can be abused to perform distributed amplification DoS attacks using spoofed UDP packets (i.e. the attacker sends specially crafted DNS requests to your server with a spoofed source IP, and your server responds with a much much larger reply to the apparent source, which in truth is the victim).
More details here: http://en.wikipedia.org/wiki/Distributed_Reflection_Denial_of_Service#Reflected_.2F_Spoofed_attack
You can change that by making sure that your
/etc/bind/named.conf.options is set properly to allow recursion only from your LAN and localhost. By default, that’s done with this block:
(“Recursion” in this context means the DNS server allows and answers requests for zones that it is not authoritative for.)
ok, but if i’ve disable BIND.
I have the same problem?
You can disable BIND if you like, and you would no longer have that problem.
However, your server would not be able to act as a nameserver in that case, meaning you would need to setup all your DNS records elsewhere.
If that’s okay, then you can certainly disable BIND if you want.
Note that, in that case, you would need to configure your server to use an external nameserver for DNS lookups.