My secondary authoritative DNS server (centos 7 – bind 9.9 hosted in Microsoft Azure) is marked as Open Zone Transfer…
although I've added the line "recursion no" in /etc/named.conf:
This is my options section in the server's named.conf file:
options {
listen-on port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-transfer { none; };
recursion no;
additional-from-cache no;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
Can you advise me why my authoritative server still marked as Open Zone Transfer?
Best Answer
after 2 days of troubleshooting, the issue was fixed I found that the centos version installed by Microsoft Azure by default has dnsmasq service installed and running after the initial os install ... when I disabled that service, the bind was working fine and the unauthorized zone transfer requests was denied as configured in named.conf ... thanks