75
edits
This is the support site for Andrews & Arnold Ltd, a UK Internet provider. Information on these pages is generally for our customers but may be useful to others, enjoy!
m (→What if I run a DNS server on purpose?: caps) |
m (update clueless to control) |
||
(18 intermediate revisions by 3 users not shown) | |||
==What is an
Every day,
AAISP customers normally use the AAISP DNS servers, or often their own router.
It is quite common for DSL routers to respond to these DNS requests on the WAN side as well as the LAN - this means that other people on the Internet can use your router to do their DNS
The 'attack' in this sense is more about attacking somebody else on the Internet by using your DNS resolver. What happens
<center>
{| class="wikitable"
!colspan="2"|DNS
|-
|[[File:Opendns1.png|300px|DNS attack]]
</center>
In the past having an open resolver on a router wasn't a problem, and there are many many routers which leave DNS open in their default state
This is often referred to as a 'DNS
==What if I run a DNS server on purpose?==
It is quite legitimate for people to run DNS servers on their network, and we are happy for them to do so - in these cases access to them should be restricted or limited.
If you run an authoritative DNS server, configure it only to return records for your domain.
If you run a caching resolver, configure it to only return records for your users (firewall to only allow your users), and consider implementing rate-limiting.
You can disable our automatic scanning, see [[#Disabling Automatic Scans]] below.
=How to prevent this?=
See the pages below for details on specific routers
=Automatic and Manual Testing for
There is a page on the AAISP control pages that lists your IPs that have an open DNS server running, and can also re-scan your IP blocks (IPv4). AAISP will re-scan automatically every
Log in to the [https://
==Disabling Automatic Scans==
On a per IP block basis you can disable our regular scans. From the Control Pages, click on the IP block and change the setting.
[[File:DNS-Check-flag.png|border]]
You will still be able to run the checks manually.
▲Log in to the [https://clueless.aa.net.uk/ Control Pages], and then either click on one of your IPv4 addresses or a broadband line. On these pages you'll see a link to the open DNS page.
[[Category:
[[Category:DNS]]
[[Category:Diagnostic Tools]]
|
edits