Due to a bug in Parallels Plesk control panel installed on Windows Servers, the DNS server/service may be running as an Open Resolver.
The issue here is that these DNS servers are not set to block external requests, they answer recursive queries for hosts outside of the domains they manage, and can be used for DDOS attacks against other servers.
It is a requirement, on our network, that any servers offering DNS be confined to the domains/zones that they manage and do not answer recursive queries for external domains/zones.
To address this problem you will need to modify your named.conf file, on the server, to block Recursion or limit recursion to a pre-specified set of allowed devices/IP-ranges; in most cases it is the latter and usually, simply, localhost.
How Do I Restrict DNS Queries?
You will need to remote, RDP, into the server and open the file at the following location:
C:\Program Files (x86)\Parallels\Plesk\dns\etc\named.user.conf
Note:
If the file is not present, look for the file called: named.user.conf
Once you have this open you will now add, or update, the Option value as follows:
allow-recursion {"localhost";};
Once done, save the file. You will also need to restart the DNS service on the server, do this by following these steps:
- Open Server Manager: Start > All Programs > Administrative Tools > Server Manager.
- When the window opens click Configuration.
- Click Services.
- Scroll down and find ISC BIND.
- Right click and Restart.
If the service will not restart then you have made an error in the configuration file, usually a typo. Check the file and follow the steps above again.
The DNS server should now only answer queries from itself, for domains/zones that it controls.
-
If your requirements for serving DNS are different than the above please contact us and let us know.
-
For more information on Open Resolvers please refer to the following:
Comments
0 comments
Article is closed for comments.