DNS Recursion - Disable

[xqdm]

I have 3 servers running as DNS servers

DNS Server #1: 111.111.111.111
DNS Server #2: 222.222.222.222
DNS Server #3: 333.333.333.333

The above servers are our DNS servers.

We then have 20+ servers with over 1000 IP addresses assigned to them running web-hosting/reseller hosting etc.

All of these servers are setup to to syncronize any changes to the DNS servers only.

Unfortunately our servers are currently set to allow recursion (not good), we are working on disabling this - however as the servers handle over 20k DNS zones we want to make sure we get it right the first time.

So my question is, is it correct in saying that the DNS servers named.conf should include the following:

Under the options section in named.conf

allow-recursion { trusted; };
allow-notify { trusted; };

Own section ion named.conf

acl "trusted" {
127.0.0.1;
111.111.111.111 # DNS Server #1
222.222.222.222 # DNS Server #2
333.333.333.333 # DNS Server #3
118.111.111.111; # IP address from resolv.conf
118.111.111.111; # IP address from resolv.conf
};

-----------------------------------------------------------------------------------------------------

The next issue I have is what should the web servers (not the DNS server) named.conf include, the same as per above or also the IP addresses assigned to the server?

Under the options section in named.conf

allow-recursion { trusted; };
allow-notify { trusted; };

Own section ion named.conf

acl "trusted" {
127.0.0.1;
111.111.111.111 # DNS Server #1
222.222.222.222 # DNS Server #2
333.333.333.333 # DNS Server #3
118.111.111.111; # IP address from resolv.conf
118.111.111.111; # IP address from resolv.conf
[B]1.2.3.4 # IP address assigned to the server (used for clients dedicated IP for SSL)
4.5.6.7 # IP address assigned to the server (used for clients dedicated IP for SSL)[/B]
};

 

[quizknows]

You only need recursion enabled on a DNS server if you want someone to be able to query that server for a domain it is not authoritative for. I.E. if you want it to answer for a domain you're not hosting and it does not have a zone file for. Most of the time you can disable recursion completely; I do on my DNS servers. Obivously disabling/limiting it is a good thing so that you're less likely to be used in DNS amplification DoS attacks.

If the server has a zone file for the domain it is queried for, it's going to answer, even if recursion is disabled completely. The point in disabling it is so I can't query you for google.com or some other large zone file that belongs to a site you don't even host.

You should be fine setting up both the DNS and Web servers with a trusted ACL in the named.conf to be on the safe side. Just remember all your semicolons

Also, you should not need to add IP's assigned to the server itself to the trusted ACL if 127.0.0.1 is trusted.

 

[cPanelMichael]

Hello

The previous post is accurate. Also, remember you are modifying the recursion value for the "External" view. It's okay to keep recursion enabled for the "Internal" view.

Thank you.

 

[wanted4life]

Recursion will not consume any resourcess if you keep it enabled.
You can get up to 65000 queries per second ( you will never get there ) and the consumption for these queries is less then 5% of your server.
So you can keep recurion open without any problem.
If is open for public, it means that people can use your server to resolve the domains they access. Which also means that they must know that about your server and to know how to modify it and why to modify it, also also they must want to use your DNS instead others.
Until you get so much people that you get 65000 queries every second, you will need over one billion people. Which is impossible to do that.

- - - Updated - - -

However, recursion open for public it can be a security issue if you use unsecured content on a spoofed domain.

for example.
if you have a domain name created on your server ( [Removed] ) but the nameservers doesn't point to that server, it means that somebody can access the content of that website, only if they use your IP address as DNS resolver.

Some people do this mistake and do not secure the content because they are 100% sure that nobody from outsite are able to access that content, since the domain is actually hosted on another server/network.
So they don't make any security.

Just make sure you don't make the same mistake. I hacked plenty of pop servers and mysql databases because of spoofed domains and recursion open.