Open DNS Servers :: DNSReport Fix Script

[anup123]

So it did get through finally?

[DigiCrime]

Because I have a lot of servers to go thru I wrote this to help me out, if it helps anyone great, use at your own risk.

Code:

#!/bin/bash
# 3/11/06 digicrime@aol.com 
# Open DNS Patch
#
cp /etc/named.conf /etc/named.conf-$(date +%Y%m%d)
echo 'acl "trusted" {'
echo `/bin/hostname -i`\;
for i in `cat /etc/ips | cut -d ":" -f 1`
do
 echo $i\;
done
echo "};"
echo ""
echo "options {
        directory "/var/named";
        version "not currently available";
        allow-recursion { trusted; };
        allow-notify { trusted; };
        allow-transfer { trusted; };
};"
echo ""
echo ""
echo ""
MHW="This will fix the Open DNS errors found from dnsreport.com Paste these results after the control }; line in /etc/named.conf. Remember to restart named after you make changes /scripts/restartsrv_named check to see if it is running as well. Run /scripts/fixndc if you get an rndc error and then restart named then use dnsreport.com making sure you do not get any Open DNS errors. If you mess up you will find a backup in /etc/named.conf-timestamp where timestamp is the current date and time you ran this script"

echo $MHW
echo " "
echo " "
echo "Backup file is /etc/named.conf-$(date +%Y%m%d)"
echo " "

save it however you want like named.patch chmod 755 then sh named.patch

It paste an output of what you need to place in named.conf.

[Radio_Head]

Because I have a lot of servers to go thru I wrote this to help me out, if it helps anyone great, use at your own risk.

Code:

#!/bin/bash
# 3/11/06 digicrime@aol.com 
# Open DNS Patch
#
cp /etc/named.conf /etc/named.conf-$(date +%Y%m%d)
echo 'acl "trusted" {'
echo `/bin/hostname -i`\;
for i in `cat /etc/ips | cut -d ":" -f 1`
do
 echo $i\;
done
echo "};"
echo ""
echo "options {
        directory "/var/named";
        version "not currently available";
        allow-recursion { trusted; };
        allow-notify { trusted; };
        allow-transfer { trusted; };
};"
echo ""
echo ""
echo ""
MHW="This will fix the Open DNS errors found from dnsreport.com Paste these results after the control }; line in /etc/named.conf. Remember to restart named after you make changes /scripts/restartsrv_named check to see if it is running as well. Run /scripts/fixndc if you get an rndc error and then restart named then use dnsreport.com making sure you do not get any Open DNS errors. If you mess up you will find a backup in /etc/named.conf-timestamp where timestamp is the current date and time you ran this script"

echo $MHW
echo " "
echo " "
echo "Backup file is /etc/named.conf-$(date +%Y%m%d)"
echo " "

save it however you want like named.patch chmod 755 then sh named.patch

It paste an output of what you need to place in named.conf.

Your code works GREAT . Only one thing the code

Code:

echo "options {
        directory "/var/named";
        version "not currently available";
        allow-recursion { trusted; };
        allow-notify { trusted; };
        allow-transfer { trusted; };
};"

should be replaced with

Code:

echo "options {
        directory \"/var/named\";
        version \"not currently available\";
        allow-recursion { trusted; };
        allow-notify { trusted; };
        allow-transfer { trusted; };

};"

otherwise named will report an error.


Bye

[DigiCrime]

Thanks, I ran it on Core 2 and CentOS servers without a problem I havent tried any others yet but thanks for the correction

[Radio_Head]

me too on centos 4.2 , works perfect .

[DigiCrime]

With this, Nagios shows DNS as being down when its doing checks, im guessing because the servers IP is not in the host its checking... thats my guess, need to edit all my entries

[myusername]

Does anyone see it as a possibility for cpanel to include support for this item by patching of this in a later build?

Aside from the feature request option at bugzilla I was wondering if anyone had some insight on the matter before I do just that. IPs can change and this would be nice if it were dynamically corrected when they did vs manual editing across "x" number of servers.

[manokiss]

Hope someone help....that code is not helping, it just making dnsreport do not show the Fail warning, but the DNS continue open unless you put the "recursion no;· option, but with this option exim get skrewed so really dont know what is the solution, any idea?

[kemis]

I have just added a post to another thread:
http://forums.cpanel.net/showthread.php?p=242467

It discusses something important that no one seems to have addressed yet regarding the limitations of the "allow-recursion" option.

Please check it out.

-- Matt

[Lestat]

I have added this to my named.conf. I can recieve email from other mail servers on the net but if I were to reply to them the other end user does not receive. But if the end user has an email on the same web server they can send and receive mail. It is just an error going to other hosts like comcast or other ISP. I can only send mail to local users on the same box. I hope I don't have to add ip's for every mail server on the web in order to send/receive. That is just plain silly. Anyone else run into this problem?

Code:

acl "trusted" {
xxx.xxx.xxx.xxx;
xxx.xxx.xxx.xxx;
xxx.xxx.xxx.xxx;
xxx.xxx.xxx.xxx;
xxx.xxx.xxx.xxx;
xxx.xxx.xxx.xxx;
xxx.xxx.xxx.xxx;
xxx.xxx.xxx.xxx;
};

options {
        directory "/var/named";
        version "not currently available";
        allow-recursion { trusted; };
        allow-notify { trusted; };
        allow-transfer { trusted; };

};

[Bdzzld]

Hi,

Sending e-mail and the settings of your DNS servers really have *nothing* to do with each other. It may be just a coincidence...

Check your APF settings and your e-mail queue for further information...
You may just block traffic with your current firewall settings...

Regards,
Bdzzld.

[chirpy]

BTW, I've put together a perl script that's slightly different to the one posted by DigiCrimeas I found that missed out some of the ethernet devices:

Code:

#!/usr/bin/perl

@ips = `ifconfig`;
chomp @ips;

print "\n\nacl \"trusted\" {\n";
foreach my $line (@ips) {
	if ($line =~ /inet addr:(\d+\.\d+\.\d+\.\d+)/) {
		print "        $1;\n";
	}
}
print "};\n\n";
print "options {\n";
print "        directory \"/var/named\";\n";
print "        dump-file \"/var/named/data/cache_dump.db\";\n";
print "        statistics-file \"/var/named/data/named_stats.txt\";\n";
print "        version \"not currently available\";\n";
print "        allow-recursion { trusted; };\n";
print "        allow-notify { trusted; };\n";
print "        allow-transfer { trusted; };\n";
print "};\n\n"

Replace the options section in named.conf with the output from the script.

[Lestat]

BTW, I've put together a perl script that's slightly different to the one posted by DigiCrimeas I found that missed out some of the ethernet devices:

Code:

#!/usr/bin/perl

@ips = `ifconfig`;
chomp @ips;

print "\n\nacl \"trusted\" {\n";
foreach my $line (@ips) {
	if ($line =~ /inet addr:(\d+\.\d+\.\d+\.\d+)/) {
		print "        $1;\n";
	}
}
print "};\n\n";
print "options {\n";
print "        directory \"/var/named\";\n";
print "        version \"not currently available\";\n";
print "        allow-recursion { trusted; };\n";
print "        allow-notify { trusted; };\n";
print "        allow-transfer { trusted; };\n";
print "};\n\n"

I tried running this script. Either I am executing it wrong or something but not working. Can you post the steps to get this to run?

[DWHS.net]

Wow there is allot of back and forth on this issue.

I see the script from chirpy and that looks great.

But I use remote dns with the two differant class c's and hundreds of servers, is there a way to have all my i.p.'s allowed with this script?

Thanks,

[chirpy]

IIRC, you can simply use CIDR adressing, so adding a trusetd class C would only require a single line.