Symptoms
I would like to disable DNS recursion; the PCI compliance check fails because recursive DNS queries are allowed.
Resolution
To disable recursive DNS queries follow these steps:
BIND DoS vulnerability CVE-2015-5477 – Security fix for in CentOS, RedHat, Debian and Ubuntu Servers
Vulnerability Issue:
A flaw was found in the way BIND handled requests for TKEY DNS resource records. A remote attacker could use this flaw to make named (functioning as an authoritative DNS server or a DNS resolver) exit unexpectedly with an assertion failure via a specially crafted DNS request packet.
Customizing DNS zone configuration for your domain
1. Click Web Site Link
2. Click DNS Settings
This is where you add, modify, and delete DNS Zones
How to disable recursive DNS lookups on cPanel
A very common PCI Issue is related to the DNS servers. In order to be PCI Compliant you must disable the ability of DNS Poisioning (a process in which the DNS may be modified by an outside source and resulting in false lookups or hijacked pages).
How to add a wildcard dns entry for domain name in cPanel
1. Login to your cpanel account (mydomain.com/cpanel)
2. Under the “Domains” column you will “Subdomains” click on this.
How to add a wild card dns entry for domain name in WHM
1. Log into WHM as the root user.
2. Click Edit DNS Zone, under “DNS Functions” on the left-side menu.
3. Choose the zone you want to add a wildcard to, and click edit.
How to flush DNS cache in Linux
Flush DNS Cache in linux Using the following command:
#/etc/init.d/nscd restart
Install a DNS Server on Windows 2008 R2 Dedicated / Cloud Server
1. Open Server Manager. To open Server Manager, click Start, and then click Server Manager.
2. In the results pane, under Roles Summary, click Add roles.
3. In the Add Roles Wizard, if the Before You Begin page appears, click Next.
4. In the Roles list, click DNS Server, and then click Next.
5. Read the information on the DNS Server page, and then click Next.
6. On the Confirm Installation Options page, verify that the DNS Server role will be installed, and then click Install.
Is my DNS Server an Open Resolver
A open dns resolver provides name resolution to any clients outside of its LAN / WAN or authoritative domains. Open DNS resolvers are a bad as they are usually involved in attacking DDoS attacks, spoofing, DNS cache poisoning, and much more. It allows everyone to use your network resources and bandwidth. Run the following command to test your BIND DNS (or any other DNS software) server for open recursion:
