The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DNS recursive lookups?

Discussion in 'Bind / DNS / Nameserver Issues' started by jamesbond, Feb 12, 2003.

  1. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    I did a DNS test on dnsstuff.com and it mentioned the following:


    Took off 2 points since ns1.xxxxxxxx.com allows recursive lookups (if lots of people are using the server, it can slow down).


    How can I disable recursive lookups?
     
  2. leat

    leat Member

    Joined:
    Jul 23, 2002
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    [quote:c733491225][i:c733491225]Originally posted by jamesbond[/i:c733491225]
    .
    .

    How can I disable recursive lookups?

    [/quote:c733491225]

    In /etc/named.conf, add &recursion no& within options:

    options {
    .
    .
    recursion no;
    }
     
  3. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    If I do this, will the cpanel nameservers still continue to work properly?

    What are the exact implications of disabling recursive lookups?

    At the moment I'm using these nameservers only for domains that are also on the same server.

    I would need to allow zone transfers from certain ip's (some registries in Europe require allowing zonetransfer, otherwise you can't register the domains)
     
  4. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Not sure why the &named.conf& file was mentioned as this seems more for the httpd.conf file.

    Look for this:

    #
    # HostnameLookups: Log the names of clients or just their IP addresses
    # e.g., www.apache.org (on) or 204.62.129.132 (off).
    # The default is off because it'd be overall better for the net if people
    # had to knowingly turn this feature on, since enabling it means that
    # each client request will result in AT LEAST one lookup request to the
    # nameserver.
    #
    HostnameLookups Off

    and make sure &Off& is used instead of &On&.
     
  5. AusJeff

    AusJeff Active Member

    Joined:
    Jan 10, 2003
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    HostnameLookups Off

    HostnameLookups Off is off on mine and I get the same as well.

    Took off 2 points since ns1.blahblah.com allows recursive lookups.

    Update: Did the named.conf trick and bingo:
    Score: A+

    :)
     
  6. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Ok, now I'm really curious. I checked some of the tests at DNSstuff but was not able to find one as described in this thread. Can someone provide the exact URL or info on which test is being used?
     
  7. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    Do the dns timing for the www cname, at the bottom should be the points taken off.

    Losing 2 is not as bad as being penalized 8 points because your a .ca name.

    www.virtual-hosting.ca

    Took off 8 points for &.ca& TLD

    Now that sucks!
     
  8. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Ok, that explains it. I do not have CNAME for my Nameservers -- only A. I had thought that A records were better to have then CNAME. Is it better to have it the other way around or, if one should have both, what files would need to be editted?
     
  9. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    Well,

    dnsreport.com for www.virtual-hosting.ca

    PASS - OK. There are no CNAMEs for your NS records. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present.

    I am not using cnames for my ns only A records. The only error is for ptr, which I thought was wierd because we do have ptr records setup.
     
  10. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    My confusion. I somehow got on to the idea to do the test for Nameservers. Once I used the Domain name only (for the A test) it worked fine. Added in the &non-recursive& option -- for others who do it, don't forget to Restart Bind -- and shall track it.

    Interesting though, when I do the test for CNAME using my Domain name, I get - Answer: Does not exist. Although I know for a fact there is a CNAME entry. I don't feel so bad though as the same error shows for &virtual-hosting.ca& as well. Probably others too, although, I can only conclude it has something to do with Nameservers -- which we're pretty much agreed, should not have a CNAME entry.
     
  11. AusJeff

    AusJeff Active Member

    Joined:
    Jan 10, 2003
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    The 2nd one down

    [quote:b79c667d8a][i:b79c667d8a]Originally posted by Website Rob[/i:b79c667d8a]

    Ok, now I'm really curious. I checked some of the tests at DNSstuff but was not able to find one as described in this thread. Can someone provide the exact URL or info on which test is being used?[/quote:b79c667d8a]

    It is the 2nd one down on the left hand side 'DNS Timing'.

    Yes A records are better than CNAME. But it is OK if you have the main A record and use CNAME for third level (eg. mail, www etc)

    From dnsreport.com:
    OK. You do have a CNAME record for www.yourdomain.com, which can cause some confusion. However, this is legal. Your CNAME entry also returns the A record for the CNAME entry, which is good -- otherwise, it would require an extra DNS lookup, which slightly delays the initial access to the website and use extra bandwidth. Note that if the CNAME points to another CNAME, it will likely cause problems.

    More:
    Some domains have a CNAME record for their WWW server that requires an extra DNS lookup, which slightly delays the initial access to the website and use extra bandwidth.

    WHM adds the CNAME's by default for mail and www. You can manually change this to A and add the IP instead of the domain name. Otherwise what it is doing is saying yourdomain.com 'A' record is 123.456.789.012 then the CNAME of www points to yourdomain.com so the DNS is looked up again to see who yourdomain.com is (being the 'A' record).

    Make sense ?

    Jeff.
     
  12. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    [quote:bdd97f2408][i:bdd97f2408]Originally posted by Website Rob[/i:bdd97f2408]

    Interesting though, when I do the test for CNAME using my Domain name, I get - Answer: Does not exist. Although I know for a fact there is a CNAME entry. I don't feel so bad though as the same error shows for &virtual-hosting.ca& as well. Probably others too, although, I can only conclude it has something to do with Nameservers -- which we're pretty much agreed, should not have a CNAME entry.[/quote:bdd97f2408]

    You get &Does not exist& because the domain name &virtual-hosting.ca& only has an &A& record in DNS, it's the www that is the cname to the &A& record.
     
  13. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    DOH!

    I am so used to not using &www& for anything I do (testing, URL's, etc.), I forgot all about adding it in. :p

    Also...

    Jeff, your explaination is good and makes sense. Although it seems &either, or& can be used in some cases, I use CNAME for: www, mail, ftp as that is what my DC recommended. What do I know. LOL
     
  14. AusJeff

    AusJeff Active Member

    Joined:
    Jan 10, 2003
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    No Email

    [quote:64a5dcc2c9][i:64a5dcc2c9]Originally posted by leat[/i:64a5dcc2c9]

    [quote:64a5dcc2c9][i:64a5dcc2c9]Originally posted by jamesbond[/i:64a5dcc2c9]
    .
    .

    How can I disable recursive lookups?

    [/quote:64a5dcc2c9]

    In /etc/named.conf, add &recursion no& within options:

    options {
    .
    .
    recursion no;
    }
    [/quote:64a5dcc2c9]

    Mmmmm although it did the trick in dnsstuff.com and dnsreport.com, I was wondering why my email was so quiet.

    ----- Transcript of session follows -----
    ... while talking to mydomain.com.:
    &&& DATA
    &&& 550 rejected: cannot route to sender &user@mydomain.com.au&
    554 5.0.0 Service unavailable


    Took the setting back off and OK for mail, now the DNS problem. Oh well will have to live with 2 points off :-(
    (better than the 8 for .ca)

    Jeff.
     
  15. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Good call Jeff, I was just starting to look into the same problem. Suddenly started getting all kinds of &failed& eMail msgs. &unrouteable mail domain& yet no problem with the Domain names they were being sent to.

    Even though I had added in the missing semi-colon from the example:

    options {
    recursion no;
    };

    it still didn't seem to work properly.
     
  16. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    [quote:9e2af8edf6][i:9e2af8edf6]Originally posted by Website Rob[/i:9e2af8edf6]

    Good call Jeff, I was just starting to look into the same problem. Suddenly started getting all kinds of &failed& eMail msgs. &unrouteable mail domain& yet no problem with the Domain names they were being sent to.

    Even though I had added in the missing semi-colon from the example:

    options {
    recursion no;
    };

    it still didn't seem to work properly.[/quote:9e2af8edf6]

    I posted earlier in the thread asking what the consequences would be of disabling recursive lookups.

    So it seems disabling it causes problems with exim, because it can't do domain lookups anymore.
     
  17. Juanra

    Juanra Well-Known Member

    Joined:
    Sep 22, 2001
    Messages:
    777
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Spain
    There's is also an allow-recursion option in Bind 8 and 9
     
  18. mrcbrown

    mrcbrown Well-Known Member

    Joined:
    Jun 5, 2003
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    6
    Try this:

    Code:
    options {
    allow-recursion { 127.0.0.1; xxx.xxx.xxx.xxx; };
    };
    Replace the blank IP listing with as many local IP's you have or people authorized to do recursive off your DNS server - this allows local services to use DNS lookups for mail etc.

    Hope this helps.
     
Loading...

Share This Page