The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DNS Recursion - Disable

Discussion in 'Security' started by xqdm, Oct 3, 2013.

  1. xqdm

    xqdm Member
    PartnerNOC

    Joined:
    Oct 24, 2006
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    I have 3 servers running as DNS servers

    DNS Server #1: 111.111.111.111
    DNS Server #2: 222.222.222.222
    DNS Server #3: 333.333.333.333

    The above servers are our DNS servers.

    We then have 20+ servers with over 1000 IP addresses assigned to them running web-hosting/reseller hosting etc.

    All of these servers are setup to to syncronize any changes to the DNS servers only.

    Unfortunately our servers are currently set to allow recursion (not good), we are working on disabling this - however as the servers handle over 20k DNS zones we want to make sure we get it right the first time.

    So my question is, is it correct in saying that the DNS servers named.conf should include the following:

    Under the options section in named.conf
    Code:
    allow-recursion { trusted; };
    allow-notify { trusted; };
    Own section ion named.conf
    Code:
    acl "trusted" {
    127.0.0.1;
    111.111.111.111 # DNS Server #1
    222.222.222.222 # DNS Server #2
    333.333.333.333 # DNS Server #3
    118.111.111.111; # IP address from resolv.conf
    118.111.111.111; # IP address from resolv.conf
    };
    
    -----------------------------------------------------------------------------------------------------

    The next issue I have is what should the web servers (not the DNS server) named.conf include, the same as per above or also the IP addresses assigned to the server?

    Under the options section in named.conf
    Code:
    allow-recursion { trusted; };
    allow-notify { trusted; };
    Own section ion named.conf
    Code:
    acl "trusted" {
    127.0.0.1;
    111.111.111.111 # DNS Server #1
    222.222.222.222 # DNS Server #2
    333.333.333.333 # DNS Server #3
    118.111.111.111; # IP address from resolv.conf
    118.111.111.111; # IP address from resolv.conf
    [B]1.2.3.4 # IP address assigned to the server (used for clients dedicated IP for SSL)
    4.5.6.7 # IP address assigned to the server (used for clients dedicated IP for SSL)[/B]
    };
    
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    You only need recursion enabled on a DNS server if you want someone to be able to query that server for a domain it is not authoritative for. I.E. if you want it to answer for a domain you're not hosting and it does not have a zone file for. Most of the time you can disable recursion completely; I do on my DNS servers. Obivously disabling/limiting it is a good thing so that you're less likely to be used in DNS amplification DoS attacks.

    If the server has a zone file for the domain it is queried for, it's going to answer, even if recursion is disabled completely. The point in disabling it is so I can't query you for google.com or some other large zone file that belongs to a site you don't even host.

    You should be fine setting up both the DNS and Web servers with a trusted ACL in the named.conf to be on the safe side. Just remember all your semicolons ;)

    Also, you should not need to add IP's assigned to the server itself to the trusted ACL if 127.0.0.1 is trusted.
     
    #2 quizknows, Oct 3, 2013
    Last edited: Oct 3, 2013
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    The previous post is accurate. Also, remember you are modifying the recursion value for the "External" view. It's okay to keep recursion enabled for the "Internal" view.

    Thank you.
     
  4. wanted4life

    wanted4life Member

    Joined:
    Apr 17, 2010
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Romania, bucharest
    cPanel Access Level:
    DataCenter Provider
    Recursion will not consume any resourcess if you keep it enabled.
    You can get up to 65000 queries per second ( you will never get there ) and the consumption for these queries is less then 5% of your server.
    So you can keep recurion open without any problem.
    If is open for public, it means that people can use your server to resolve the domains they access. Which also means that they must know that about your server and to know how to modify it and why to modify it, also also they must want to use your DNS instead others.
    Until you get so much people that you get 65000 queries every second, you will need over one billion people. Which is impossible to do that.

    - - - Updated - - -

    However, recursion open for public it can be a security issue if you use unsecured content on a spoofed domain.

    for example.
    if you have a domain name created on your server ( [Removed] ) but the nameservers doesn't point to that server, it means that somebody can access the content of that website, only if they use your IP address as DNS resolver.

    Some people do this mistake and do not secure the content because they are 100% sure that nobody from outsite are able to access that content, since the domain is actually hosted on another server/network.
    So they don't make any security.

    Just make sure you don't make the same mistake. I hacked plenty of pop servers and mysql databases because of spoofed domains and recursion open.
     
    #4 wanted4life, Oct 21, 2013
    Last edited by a moderator: Oct 22, 2013
Loading...

Share This Page