I found a very helpful link in the slashdot comments on the story about this:
http://dnsreport.com/ Not only will the above link check your domain(s) for open recursion but it will do a number of other checks as well, some of which surprised me. Josh On 3/19/06, Mike Johnson <[EMAIL PROTECTED]> wrote: > Tanner Lovelace wrote: > > Greetings, > > > > It looks like people have come up with ways to use recursive DNS > > servers to cause a distributed denial of service on other name servers[1]. > > There's nothing new here, recursive DNS servers have been the norm > > for many, many years, but then again, so were open SMTP relays[2]. > > So, as a result, it seems that prudence would suggest that people > > secure their DNS servers. However, just turning off recursive DNS > > is generally not an option because DNS doesn't work without it. > > Instead, you need to restrict recursive DNS to just your own network. > > Looks like good instructions for doing that with bind can be found > > here[3]. Might as well secure now so as to not contribute to problems > > later. :-( > > And people used to sneer at my split-dns setups... If you aren't > running BIND, your version of BIND doesn't support views, or you're > running a DNS server that does not support the concept of recursion > restriction based on source, there is another way: run two (or more, two > is a minimum) DNS servers. These could reside on a multihomed host, if > you wanted to, but separate physical hosts would be best. Configure one > server as authoritative only (this is where you put all your DNS > entries) that is publicly available and one that is recursive only that > is only available on your local network. Configure the recursive DNS > server to send all requests for your domain directly to the > authoritative server (this is so you can use bogus/test domains, if you > want), the rest go to the root servers (or to your ISP's recursive servers). > > Mike > -- > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > TriLUG Organizational FAQ : http://trilug.org/faq/ > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ > -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
