1

My secondary authoritative DNS server (centos 7 - bind 9.9 hosted in Microsoft Azure) is marked as Open Zone Transfer... although I've added the line "recursion no" in /etc/named.conf:

This is my options section in the server's named.conf file:

options {

listen-on port 53 { any; };
directory   "/var/named";
dump-file   "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query    { any; };
allow-transfer { none; };
recursion no;
additional-from-cache no;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";

};

Can you advise me why my authoritative server still marked as Open Zone Transfer?

Ahmed AbdelSalam
  • 11
  • 4
  • Where / how is it marked as open zone transfer? (Who is telling you this)? Also, stupid question: You've restarted bind after making these changes? – David W May 25 '17 at 09:56
  • thanks for your reply, yes I've restarted bind many times but in vain... many DNS testing websites was telling that the server is an open zone transfer (like: http://mxtoolbox.com and http://hackertarget.com/zone-transfer) you can check using one of my domains "shabakah.com" – Ahmed AbdelSalam May 25 '17 at 10:24
  • The zone shabakah.com should have its own config file. What's the current configuration for this zone ? – Kate May 25 '17 at 16:31
  • Recursion and transfer are unrelated. I see that I can in fact do a zone transfer for that domain on ns4.shabakah.net.sa (40.86.176.26). Is that the server you're showing us the config files for? We need to see the `zone` context as well, because perhaps you are allowing transfer in there... – theglossy1 May 26 '17 at 02:36
  • @theglossy1 the minsioned named.conf file was from NS4 , and the zone context (in the slave server NS4): **zone "shabakah.com" {type slave; file "slaves/db.shabakahcom"; masters { 212.102.0.2; };};** and in master server: **zone "shabakah.com" {type master; file "/var/named/db.shabakahcom"; };** – Ahmed AbdelSalam May 28 '17 at 08:33
  • That's a mystery why it would allow transfers then. It should inherit the `allow-transfer { none; };` from the global configuration. I suppose for good measure you could add that to the zone definition too, but there's no reason you should have to. – theglossy1 May 29 '17 at 00:32

1 Answers1

0

after 2 days of troubleshooting, the issue was fixed I found that the centos version installed by Microsoft Azure by default has dnsmasq service installed and running after the initial os install ... when I disabled that service, the bind was working fine and the unauthorized zone transfer requests was denied as configured in named.conf ... thanks

Ahmed AbdelSalam
  • 11
  • 4