Turning off recursion in Bind is incredibly tricky across RedHat versus Ubuntu distributions. The reason for this is there are so many directories and configuration files to keep track off. Furthermore some of these configuration files include other configuration files so you end up having to browse and scan multiple files to get to a basic setting.
This article is about finding Bind settings on an older CentOS 7 server. After many years of this server running it was found via top that named was consuming 1 to 2 to 3 GB of RAM. The entire machine which is a LAMP server was falling over:
Tasks: 192 total, 3 running, 189 sleeping, 0 stopped, 0 zombie %Cpu(s): 5.9 us, 5.9 sy, 0.0 ni, 82.4 id, 0.0 wa, 0.0 hi, 3.9 si, 2.0 st KiB Mem : 6109156 total, 1456248 free, 2567376 used, 2085532 buff/cache KiB Swap: 8388604 total, 5303172 free, 3085432 used. 2528620 avail Mem PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 13040 ... 23619 named 20 0 1573564 1.0g 2496 S 12.5 18.0 226:02.57 named
Here are some of the directories to keep track of:
/var/named (lots of .hosts files)
/etc/named (empty)
/var/named/data (log files of /var/log/messages on bind showing hug log file growing
/etc/ (named.conf and other named. files)
Now where is this illusive recursion setting?
Finding the recursion setting wasn’t that hard:
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 {
any;
};
listen-on-v6 port 53 {
any;
};
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
One we have found it, and since this is actually an authoritative server, we need to:
- Find a good script / public service to show us it’s open
- Close it
- Make sure authoritative checking still works
Bash Open Resolver Tester
#!/bin/bash
if [ "$#" -ne 1 ]; then
echo "Usage: $0 <IP_prefix>"
exit 1
fi
ip_prefix=$1
timeout_value=1
for i in {40..254}; do
ip="${ip_prefix}.${i}"
# Use dig to query cnn.com against the DNS resolver
result=$(dig +timeout=${timeout_value} +short @${ip} cnn.com)
# Check if the result times out or is empty
if [[ "$result" =~ "connection timed out" || -z "$result" ]]; then
echo "Not an open resolver ${ip}";
else
echo "Open resolver: ${ip}"
fi
done
“`