Posts

How to close an open DNS resolver

This post was originally written for xmodulo.

The DNS server that we have created in the previous tutorial is an open DNS resolver. An open resolver does not filter any incoming requests, and accepts queries from any source IP address. Unfortunately, an open resolver can become an easy target to attackers. For example, attackers can initiate a Denial of Service (DoS) or even worse, a Distributed Denial of Service (DDoS) attack on the open DNS server. These attacks can also be combined with IP spoofing, where all the reply packets will be directed to a victim’s spoofed IP address. In another attack scenario called DNS amplification attacks, an open DNS server can actively participate in the attacks. According to openresolverproject.org, it is not advisable to run an open resolver unless necessary. Most companies keep their DNS servers accessible to only their customers. This tutorial will focus on how to configure a DNS server so that it stops being an open resolver and responds only t…

How to set up a secondary DNS server in CentOS

This post was originally written for xmodulo.

In the previous tutorial, we created a primary DNS server (ns1) for a test domain example.tst. In this tutorial, we will create a secondary DNS server (ns2) for the same domain by using bind package on CentOS. When it comes to setting up a secondary DNS server, the following factors should be kept in mind.You do NOT need to manually create forward and reverse zone files in the secondary DNS server. The zone files will be periodically synced from the primary DNS server automatically.Whenever any zone file is modified in the primary DNS server, the parameter 'serial' should be updated. The secondary DNS server will initiate synchronization (zone transfer) only if serial at the primary server has been changed. We assume that the IP address of the secondary DNS server to be set up is 172.16.1.4. Let us start installing. Setting up Hostnames Just like the primary DNS server, the hostname of the secondary name server should be defined as…