On Mon, Sep 3, 2012 at 5:24 PM, Mohsen Pahlevanzadeh <moh...@pahlevanzadeh.org> wrote: > On Mon, 2012-09-03 at 15:42 -0700, Kevin Oberman wrote: >> On Sun, Sep 2, 2012 at 10:12 AM, Mohsen Pahlevanzadeh >> <moh...@pahlevanzadeh.org> wrote: >> > Dear all, >> > >> > I installed bind in Debian/lenny, and i run the following command on >> > server: >> > /////////////////////////////////////////////////////////////////////// >> > root@shared:/etc/bind# dig @localhost yahoo.com >> > >> > ; <<>> DiG 9.7.3 <<>> @localhost yahoo.com >> > ; (2 servers found) >> > ;; global options: +cmd >> > ;; Got answer: >> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24259 >> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 7, ADDITIONAL: 2 >> > >> > ;; QUESTION SECTION: >> > ;yahoo.com. IN A >> > >> > ;; ANSWER SECTION: >> > yahoo.com. 3600 IN A 72.30.38.140 >> > yahoo.com. 3600 IN A 98.138.253.109 >> > yahoo.com. 3600 IN A 98.139.183.24 >> > >> > ;; AUTHORITY SECTION: >> > yahoo.com. 172800 IN NS ns6.yahoo.com. >> > yahoo.com. 172800 IN NS ns2.yahoo.com. >> > yahoo.com. 172800 IN NS ns1.yahoo.com. >> > yahoo.com. 172800 IN NS ns4.yahoo.com. >> > yahoo.com. 172800 IN NS ns8.yahoo.com. >> > yahoo.com. 172800 IN NS ns5.yahoo.com. >> > yahoo.com. 172800 IN NS ns3.yahoo.com. >> > >> > ;; ADDITIONAL SECTION: >> > ns6.yahoo.com. 172800 IN A 202.43.223.170 >> > ns8.yahoo.com. 172800 IN A 202.165.104.22 >> > >> > ;; Query time: 136 msec >> > ;; SERVER: 127.0.0.1#53(127.0.0.1) >> > ;; WHEN: Sun Sep 2 17:09:03 2012 >> > ;; MSG SIZE rcvd: 233 >> > //////////////////////////////////////////////////////////////////////// >> > According to result, my bind work truly, But when i the same command on >> > my machine , i get the following result: >> > ///////////////////////////////////// >> > root@debian:/home/mohsen# dig yahoo.com @184.22.226.206 >> > >> > ; <<>> DiG 9.8.1-P1 <<>> yahoo.com @184.22.226.206 >> > ;; global options: +cmd >> > ;; connection timed out; no servers could be reached >> > >> > //////////////////////////////// >> > >> > What do i set to solve it? >> Two things that might be the issue: >> 1. Doe the BIND configuration (named.conf) enable BIND on your >> external interface? >> 2. Does a firewall allow access to port 53/UDP? >> >> There are other possibilities, depending on thins like you network >> configuration. Make sure that you can ping the server from the remote >> system. And, please do not run an open recursive server. (Don't know >> that you are trying to, but it looked quite possible.) > Would you like explain more?
A recursive DNS server that is available to the world can be used as an amplifier for DDOS attacks. It is generally considered unacceptable to allow public access to recursive servers. If you have the resources of a Google, you can build tools to monitor for this and prevent this, but it is not trivial and does not work with stock BIND or any other free DNS server of which I am aware. Further, if the server is authoritative for some zones and is also does recursion, it is far more vulnerable to cache poisoning attacks, so the bast common practice is to run separate authoritative and recursive servers and limit recursion to internal, and customer systems. -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users