On Mon, Sep 3, 2012 at 5:24 PM, Mohsen Pahlevanzadeh
<moh...@pahlevanzadeh.org> wrote:
> On Mon, 2012-09-03 at 15:42 -0700, Kevin Oberman wrote:
>> On Sun, Sep 2, 2012 at 10:12 AM, Mohsen Pahlevanzadeh
>> <moh...@pahlevanzadeh.org> wrote:
>> > Dear all,
>> >
>> > I installed bind in Debian/lenny, and i run the following command on
>> > server:
>> > ///////////////////////////////////////////////////////////////////////
>> > root@shared:/etc/bind# dig @localhost yahoo.com
>> >
>> > ; <<>> DiG 9.7.3 <<>> @localhost yahoo.com
>> > ; (2 servers found)
>> > ;; global options: +cmd
>> > ;; Got answer:
>> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24259
>> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 7, ADDITIONAL: 2
>> >
>> > ;; QUESTION SECTION:
>> > ;yahoo.com.                     IN      A
>> >
>> > ;; ANSWER SECTION:
>> > yahoo.com.              3600    IN      A       72.30.38.140
>> > yahoo.com.              3600    IN      A       98.138.253.109
>> > yahoo.com.              3600    IN      A       98.139.183.24
>> >
>> > ;; AUTHORITY SECTION:
>> > yahoo.com.              172800  IN      NS      ns6.yahoo.com.
>> > yahoo.com.              172800  IN      NS      ns2.yahoo.com.
>> > yahoo.com.              172800  IN      NS      ns1.yahoo.com.
>> > yahoo.com.              172800  IN      NS      ns4.yahoo.com.
>> > yahoo.com.              172800  IN      NS      ns8.yahoo.com.
>> > yahoo.com.              172800  IN      NS      ns5.yahoo.com.
>> > yahoo.com.              172800  IN      NS      ns3.yahoo.com.
>> >
>> > ;; ADDITIONAL SECTION:
>> > ns6.yahoo.com.          172800  IN      A       202.43.223.170
>> > ns8.yahoo.com.          172800  IN      A       202.165.104.22
>> >
>> > ;; Query time: 136 msec
>> > ;; SERVER: 127.0.0.1#53(127.0.0.1)
>> > ;; WHEN: Sun Sep  2 17:09:03 2012
>> > ;; MSG SIZE  rcvd: 233
>> > ////////////////////////////////////////////////////////////////////////
>> > According to result, my bind work truly, But when i the same command on
>> > my machine , i get the following result:
>> > /////////////////////////////////////
>> > root@debian:/home/mohsen# dig yahoo.com @184.22.226.206
>> >
>> > ; <<>> DiG 9.8.1-P1 <<>> yahoo.com @184.22.226.206
>> > ;; global options: +cmd
>> > ;; connection timed out; no servers could be reached
>> >
>> > ////////////////////////////////
>> >
>> > What do  i set to solve it?
>> Two things that might be the issue:
>> 1. Doe the BIND configuration (named.conf) enable BIND on your
>> external interface?
>> 2. Does a firewall allow access to port 53/UDP?
>>
>> There are other possibilities, depending on thins like you network
>> configuration. Make sure that you can ping the server from the remote
>> system. And, please do not run an open recursive server. (Don't know
>> that you are trying to, but it looked quite possible.)
> Would you like explain more?

A recursive DNS server that is available to the world can be used as
an amplifier for DDOS attacks. It is generally considered unacceptable
to allow public access to recursive servers. If you have the resources
of a Google, you can build tools to monitor for this and prevent this,
but it is not trivial and does not work with stock BIND or any other
free DNS server of which I am aware.

Further, if the server is authoritative for some zones and is also
does recursion, it is far more vulnerable to cache poisoning attacks,
so the bast common practice is to run separate authoritative and
recursive servers and limit recursion to internal, and customer
systems.
-- 
R. Kevin Oberman, Network Engineer
E-mail: kob6...@gmail.com
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to