LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-30-2003, 11:51 AM   #1
slam
Member
 
Registered: Mar 2003
Posts: 36

Rep: Reputation: 15
Block DNS users


I am running redhat 8 mailserver. and I just noticed that I am being hit by dns searches... how do I block these.


 
Old 09-30-2003, 11:58 AM   #2
Faecal
Member
 
Registered: Sep 2002
Location: York, UK
Distribution: Debian Sid
Posts: 215

Rep: Reputation: 30
See /etc/named.conf for the allow-query entry, to specify which hosts are permitted to do DNS lookups on the machine. Of course, if you're not actually using the machine as a DNS server you ought to disable named.
 
Old 09-30-2003, 01:07 PM   #3
slam
Member
 
Registered: Mar 2003
Posts: 36

Original Poster
Rep: Reputation: 15
dns

If I only want to use the server for mail and local surfing can I disable the named?
and just use a gateway.

The only file that is there is named.custom is that the same as named.conf? in this case

and how do I disable the file.
chmod or delete or other?

I did find /etc/log.d/conf/services/named.conf?

Last edited by slam; 09-30-2003 at 01:11 PM.
 
Old 09-30-2003, 01:36 PM   #4
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Well first, are the DNS queries from external IPs or internal? Your local clients will need to make DNS lookups for any connections they make to the Internet. The easiest way to disallow remote hosts querying your server for DNS is to firewall off port 53 completely from the outside world (both TCP and UDP).
 
Old 09-30-2003, 01:39 PM   #5
slam
Member
 
Registered: Mar 2003
Posts: 36

Original Poster
Rep: Reputation: 15
queries

the dns queries in the log are coming from the server itself.. and I am the only one using it... and I know they queries are not mine.
I'll go look at port 53 on the netserver
 
Old 09-30-2003, 01:58 PM   #6
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Your mail server is making the queries. It does a DNS lookup every time it sends a message, and likely it also tries to do a reverse lookup of every IP that connects to deliver mail to you. If you totally disable DNS you will break your mail server.
 
Old 09-30-2003, 02:46 PM   #7
slam
Member
 
Registered: Mar 2003
Posts: 36

Original Poster
Rep: Reputation: 15
no

I disagree... the mail logs show constant activity when our office was closed down.


would this be open relay then?

Last edited by slam; 09-30-2003 at 02:52 PM.
 
Old 09-30-2003, 02:57 PM   #8
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Probably bouncing messages that were sent to non-existent users on your system. Look, if the queries have a source address of your server SOME application on your server is making those queries and you're going to break it when you disable DNS. Now given the fact that you're primarily running the box as a mail server, and additionaly given that the two examples you just posted a) start with mail. and b) sound like porn spammer hosts, I willing to bet money it's your mail server.

However, it's your server and you're welcome to break it if you want to. Just don't come back tomorrow asking why you suddenly can't deliver mail.

By the way, even if you do have /etc/resolv.conf configure to query your ISPs name server and mail continues to work, you'll add a lot more latency to your lookups and that will impact performance.

I really don't see why you're so paranoid about your own server doing DNS lookups. DNS is the foundation of the Internet. It is also true that if you have the processing horsepower, it's much better to do queries locally on your own network rather than across the Internet, because you will have significantly better performance. As long as Internet users aren't doing zone file transfers of your entire zone off your DNS server, you're fine! Let your internal boxes query all they want, all it's doing is increasing your Internet performance.

I highly suggest reading DNS & BIND from O'Reilly.
 
Old 09-30-2003, 03:09 PM   #9
slam
Member
 
Registered: Mar 2003
Posts: 36

Original Poster
Rep: Reputation: 15
?

I was worried that I may have been providing the mail for the spammers somehow... I have to watch my logs for garbage like the forementioned spammers... our users are not allowed to do that sort of stuff. thanks for your input.
 
Old 09-30-2003, 03:25 PM   #10
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Just don't allow relay from external IPs. You can easily test that by going to an outside box (one that's not on your network), telnet to your mail server on port 25, and issue the SMTP commands by hand. Make sure your MAIL FROM is not in your domain and neither is the RCPT TO. If it accepts the message, you have problems.

Code:
[chort@abydos chort]$ telnet mail.yourdomain.tld 25
Trying 10.0.0.3...
Connected to mail.yourdomain.tld (10.0.0.3).
Escape character is '^]'.       
220 mail.yourdomain.tld ESMTP Mailserver software name
EHLO test.com                   
250-mail.yourdomain.tld 
250-PIPELINING                  
250-SIZE 10240000               
250-VRFY                        
250-ETRN                        
250-XVERP                       
250 8BITMIME                    
MAIL FROM: <test@test.com>      
250 Ok                          
RCPT TO: <test@foo.com>         
250 Ok
Obviously the above uses a private IP (10.0.0.3) where you would be using the public IP if connecting from a remote system, but you get the idea. Above is an example of a server which DOES allow relaying. This is bad.

A server which does not allow relaying would have responded with the below, instead of "250 OK" after the RCPT TO line.
Code:
571 Cannot relay. Mailbox not available foo@test.com
Note that you cannot do this test from inside your network, because your server SHOULD relay for internal hosts.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables only block Messenger to some users SkYzOpReNiCk Linux - Networking 1 12-20-2007 01:08 AM
block specific users in squid alan.belizario Linux - Security 4 09-10-2005 12:43 AM
DESPERATE : Iptables block users by MAC address. ranjan303 Linux - Security 28 03-29-2005 02:15 AM
block SSH connection to non root users mangueJOE Linux - Networking 3 07-11-2002 04:15 PM
How to block users from downloading MP3 tomdlam Linux - Security 2 10-30-2001 07:51 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:37 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration