DNS recursive lookups?

[jamesbond]

I did a DNS test on dnsstuff.com and it mentioned the following:


Took off 2 points since ns1.xxxxxxxx.com allows recursive lookups (if lots of people are using the server, it can slow down).


How can I disable recursive lookups?

[leat]

[quote:c733491225][i:c733491225]Originally posted by jamesbond[/i:c733491225]
.
.

How can I disable recursive lookups?

[/quote:c733491225]

In /etc/named.conf, add &recursion no& within options:

options {
.
.
recursion no;
}

[jamesbond]

If I do this, will the cpanel nameservers still continue to work properly?

What are the exact implications of disabling recursive lookups?

At the moment I'm using these nameservers only for domains that are also on the same server.

I would need to allow zone transfers from certain ip's (some registries in Europe require allowing zonetransfer, otherwise you can't register the domains)

[Website Rob]

Not sure why the &named.conf& file was mentioned as this seems more for the httpd.conf file.

Look for this:

#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off

and make sure &Off& is used instead of &On&.

[AusJeff]

HostnameLookups Off is off on mine and I get the same as well.

Took off 2 points since ns1.blahblah.com allows recursive lookups.

Update: Did the named.conf trick and bingo:
Score: A+

[Website Rob]

Ok, now I'm really curious. I checked some of the tests at DNSstuff but was not able to find one as described in this thread. Can someone provide the exact URL or info on which test is being used?

[dgbaker]

Do the dns timing for the www cname, at the bottom should be the points taken off.

Losing 2 is not as bad as being penalized 8 points because your a .ca name.

www.virtual-hosting.ca

Took off 8 points for &.ca& TLD

Now that sucks!

[Website Rob]

Ok, that explains it. I do not have CNAME for my Nameservers -- only A. I had thought that A records were better to have then CNAME. Is it better to have it the other way around or, if one should have both, what files would need to be editted?

[dgbaker]

Well,

dnsreport.com for www.virtual-hosting.ca

PASS - OK. There are no CNAMEs for your NS records. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present.

I am not using cnames for my ns only A records. The only error is for ptr, which I thought was wierd because we do have ptr records setup.

[Website Rob]

My confusion. I somehow got on to the idea to do the test for Nameservers. Once I used the Domain name only (for the A test) it worked fine. Added in the &non-recursive& option -- for others who do it, don't forget to Restart Bind -- and shall track it.

Interesting though, when I do the test for CNAME using my Domain name, I get - Answer: Does not exist. Although I know for a fact there is a CNAME entry. I don't feel so bad though as the same error shows for &virtual-hosting.ca& as well. Probably others too, although, I can only conclude it has something to do with Nameservers -- which we're pretty much agreed, should not have a CNAME entry.

[AusJeff]

[quote:b79c667d8a][i:b79c667d8a]Originally posted by Website Rob[/i:b79c667d8a]

Ok, now I'm really curious. I checked some of the tests at DNSstuff but was not able to find one as described in this thread. Can someone provide the exact URL or info on which test is being used?[/quote:b79c667d8a]

It is the 2nd one down on the left hand side 'DNS Timing'.

Yes A records are better than CNAME. But it is OK if you have the main A record and use CNAME for third level (eg. mail, www etc)

From dnsreport.com:
OK. You do have a CNAME record for www.yourdomain.com, which can cause some confusion. However, this is legal. Your CNAME entry also returns the A record for the CNAME entry, which is good -- otherwise, it would require an extra DNS lookup, which slightly delays the initial access to the website and use extra bandwidth. Note that if the CNAME points to another CNAME, it will likely cause problems.

More:
Some domains have a CNAME record for their WWW server that requires an extra DNS lookup, which slightly delays the initial access to the website and use extra bandwidth.

WHM adds the CNAME's by default for mail and www. You can manually change this to A and add the IP instead of the domain name. Otherwise what it is doing is saying yourdomain.com 'A' record is 123.456.789.012 then the CNAME of www points to yourdomain.com so the DNS is looked up again to see who yourdomain.com is (being the 'A' record).

Make sense ?

Jeff.

[dgbaker]

[quote:bdd97f2408][i:bdd97f2408]Originally posted by Website Rob[/i:bdd97f2408]

Interesting though, when I do the test for CNAME using my Domain name, I get - Answer: Does not exist. Although I know for a fact there is a CNAME entry. I don't feel so bad though as the same error shows for &virtual-hosting.ca& as well. Probably others too, although, I can only conclude it has something to do with Nameservers -- which we're pretty much agreed, should not have a CNAME entry.[/quote:bdd97f2408]

You get &Does not exist& because the domain name &virtual-hosting.ca& only has an &A& record in DNS, it's the www that is the cname to the &A& record.

[Website Rob]

DOH!

I am so used to not using &www& for anything I do (testing, URL's, etc.), I forgot all about adding it in.

Also...

Jeff, your explaination is good and makes sense. Although it seems &either, or& can be used in some cases, I use CNAME for: www, mail, ftp as that is what my DC recommended. What do I know. LOL

[AusJeff]

[quote:64a5dcc2c9][i:64a5dcc2c9]Originally posted by leat[/i:64a5dcc2c9]

[quote:64a5dcc2c9][i:64a5dcc2c9]Originally posted by jamesbond[/i:64a5dcc2c9]
.
.

How can I disable recursive lookups?

[/quote:64a5dcc2c9]

In /etc/named.conf, add &recursion no& within options:

options {
.
.
recursion no;
}
[/quote:64a5dcc2c9]

Mmmmm although it did the trick in dnsstuff.com and dnsreport.com, I was wondering why my email was so quiet.

----- Transcript of session follows -----
... while talking to mydomain.com.:
&&& DATA
&&& 550 rejected: cannot route to sender &user@mydomain.com.au&
554 5.0.0 Service unavailable


Took the setting back off and OK for mail, now the DNS problem. Oh well will have to live with 2 points off :-(
(better than the 8 for .ca)

Jeff.

[Website Rob]

Good call Jeff, I was just starting to look into the same problem. Suddenly started getting all kinds of &failed& eMail msgs. &unrouteable mail domain& yet no problem with the Domain names they were being sent to.

Even though I had added in the missing semi-colon from the example:

options {
recursion no;
};

it still didn't seem to work properly.