PowerDNS Open Resolver necessary?

    • PowerDNS Open Resolver necessary?

      I got "severely notified" by my provider that my new server operates as an "open resolver" and might get used in an DOS attac.

      I turned off some of the PDNS features that don't sem essential for proper function in this scenario, especially I restricted "recursion" to queries from localhost. Remote queries do either get a local reply if the domain is hosted or "unknown".

      In Addition the server is configured as master AND slave, whereas I suppose none of it has to be configured as default. Especially since there is no internal option to configure an upstream "master". In this case you have to fiddle with the pdns configuration file anyway. So why enable this by default? This might eventually lead to a sitoation where PDNS happily accepts a fake "master" that pushes in some faked entries.
    • Hi,

      the Master/Slave is needed in fact that all domain registrars need 2 or more dns server. So this is needed to act as master/slave. But from external you can´t do anything before you config your server via config entries. PowerDNS will only accept incomig master/slaves queries from configured hosts.

      Also ist does not operate as an open resolver. Default is 127.0.0.1, so i can´t confirm why your isp say that your server is an open resolver.
      Gruss
      Shadow
    • ShadowJumper wrote:

      Also ist does not operate as an open resolver. Default is 127.0.0.1, so i can´t confirm why your isp say that your server is an open resolver.
      I definitely can confirm this. I tried for myself and it happily resolved "www.ibm.es" when I asked it from remote. It stopped doing that after I changed the default value to "localhost":

      Source Code

      1. ################################## allow-recursion List of subnets that are allowed to recurse
      2. ## allow-recursion=0.0.0.0/0
      3. allow-recursion=127.0.0.1/8,::1

      PowerDNS default = not set = 0.0.0.0/0 = everyone


      It stopped behaving bad after I added line 3.

      When this is supposed to be the value after Install, then it's all OK. Mine missed it somehow.