Disable DNS recursion and AXFR requests in BIND
on Debian Linux and FreeBSD / How to test a nameserver if AXFR
requests are allowed with dig command
I am playing with bind on a newly configured server and therefore
doing my best to configure the nameserver in a good manner. In that
manner of thoughts I remembered about the good old "recursion"
which could pose a security hole in your DNS systems. I won't
buffle on how bad it is for a BIND domain resolver to have Domain
recursion switched on, there is plenty of information you can read
further online. Anyways here is a brief overview on
recursion:
Recursive DNS is essentially the opposite of Custom DNS.
Custom DNS is an authoritative DNS service that allows others to
find your domain, and Recursive DNS allows you to resolve other
people's domains.
So considering the above definition if you decide to leave the
default behaviour of the Bind nameserver (which by the way is also
default behaviour of many other DNS servers including Microsoft
DNS), this would mean that your DNS will be left open for the whole
world to be able to serve resolve requests for any domain name
requested by end users. In other words somebody out there might
decide to use your nameserver to resolve all internet domains,
like: google.com, yahoo.co.uk etc.
It is wise to enable recursion only for localhost on your bind name
server, So to achieve that on Debian:
Open
/etc/bind/named.conf.options and insert into it
Right before the
options {
acl recurseallow { 1.2.3.4; 127.0.0.1; };
Also in the
options {} include the following lines:
allow-recursion { recurseallow; }; recursion
yes;
On FreeBSD you need to include the same in
/var/named/etc/namedb/named.conf by default or any
other location if you have some specific named.conf file
location.
Another truly Vital things to include in
/etc/bind/named.conf.options on Debian Lenny among
options {} is:
auth-nxdomain no;
Including this in the
options {} configuration block would
completely disable AXFR transfer requests on your nameserver on
FreeBSD the procedure is absolutely analogous, just open
/var/named/etc/namedb/named.conf and include the
auth-nxdomain no; in the options configuration block.
To stress out the importance of disable AXFR it's important to know
that if you don't disable the AXFR which is enabled by default in
many nameservers out there you're risking that a malicious person
could list the whole zone files for each and every of the
configured domains in the DNS server and consequently the attacker
can learn a lot about the DNS topology of your network etc.
So to complete the article I'm gonna give an example on how the
dig command can be used in order to check a
certain DNS server if it has enabled the AXFR requests (e.g. if
it's vulnerable to this type of DNS information leak).
dig @somenameserver.net somedomainname.net
axfr
In the above example
somenameserver.net = is a random name
server hosting a specific DNS domain
somedomainname.net = is the DNS domain name / (a.k.a. zone file)
hosted on somenameserver.net
If everything is configured properly in your the namesever you're
running the axfr test against you should see something like:
; <<>> DiG 9.6.1-P1 <<>>
@somenameserver.net somedomainname.net axfr
; (1 server found)
;; global options: +cmd
; Transfer failed.