DNS Report errors

[cchapoval]

I am new to HG and to dedicated server, so for a little (lot) help I followed the instructions posted at this forum from Serra (titled: So you just got a new dedicated server!) and option 16 says to check the DNS Report to see the errors...I did and I got 1 fail and 4 warns, I contacted the help desk and they said don't worry...so I am not worried. But just in case I am posting here the errors, if you have any comments please do so, I really appreciate!

DNS Report Errors:

Error #1

NS - FAIL - Open DNS Errors - ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are...

Error #2

NS - WARN - Nameservers on separate call C's - Error: WARNING: All of your nameservers (listed at the parent nameservers) are in the same Class C (technically, /24) address space, which means that they are probably at the same physical location. Your nameservers should be at geographically dispersed locations. You should not have all of your nameservers at the same location. RFC2182 3.1 goes into more detail about secondary nameserver location.

Error #3

SOA - WARN - SOA Refresh Value - Error: WARNING: Your SOA REFRESH interval is : 86400 seconds. This seems high. You should consider decreasing this value to about 3600-7200 seconds (or higher, if using DNS NOTIFY). RFC1912 2.2 recommends a value between 1200 to 43200 seconds (20 minutes to 12 hours, with the longer time periods used for very slow Internet connections), and if you are using DNS NOTIFY the refresh value is not as important (RIPE recommend 86400 seconds if using DNS NOTIFY). This value determines how often secondary/slave nameservers check with the master for updates. A value that is too high will cause DNS changes to be in limbo for a long time.


Error #4

SOA - WARN - SOA Expire Value - Error: WARNING: Your SOA EXPIRE time is : 3600000 seconds. This seems a bit high. You should consider decreasing this value to about 1209600 to 2419200 seconds (2 to 4 weeks). RFC1912 suggests 2-4 weeks. This is how long a secondary/slave nameserver will wait before considering its DNS data stale if it can't reach the primary nameserver.

Error #5

Mail - WARN - SPF Record - Error: Your domain does not have an SPF record. This means that spammers can easily send out E-mail that looks like it came from your domain, which can make your domain look bad (if the recipient thinks you really sent it), and can cost you money (when people complain to you, rather than the spammer). You may want to add an SPF record ASAP, as 01 Oct 2004 was the target date for domains to have SPF records in place (Hotmail, for example, started checking SPF records on 01 Oct 2004).



Thanks!

 

[jester.ro]

your dc is right, you should't worry about those errors and warnings.

Still i would suggest solving at least the "open dns server" issue, just to be on the safe site. Search this forum for "open dns", or even google to find a way to do that. It's considered a security issue, pretty hard to exploit, but better safe than sorry.

About the warnings:

-ns's on separate C class. It is a warning becose when having your ns's on the same class it's clear that they are both in the same datacenter(you can't split a C class), and it's considered non-redundant. But you clearly have both ns's on the same server, so it wouldn't really matter if you had different C class ip's for them.

-about the SOA's. Most cpanl servers run with theese settings(not many change them to be according to the RFC's) so it's ok.

-SPF. Well, i don't know any important mail server that rejects your email becose you don't have a SPF. It's good to have one when someone else sends email in your behalf, so you don't get your domain marked as a spam source.

 

[jester.ro]

http://www.openspf.org/

You set a "txt" entry in your dns that lists all the possible sources of email for your domain. So when someone else sends a spoofed email in your behalf, the receiving server can verify your domain, and see that you have a SPF record, and that email(which is probably spam or a virus) did not originate from you, thus dropping it.

 

[cchapoval]

your dc is right, you should't worry about those errors and warnings.

Still i would suggest solving at least the "open dns server" issue, just to be on the safe site. Search this forum for "open dns", or even google to find a way to do that. It's considered a security issue, pretty hard to exploit, but better safe than sorry.

About the warnings:

-ns's on separate C class. It is a warning becose when having your ns's on the same class it's clear that they are both in the same datacenter(you can't split a C class), and it's considered non-redundant. But you clearly have both ns's on the same server, so it wouldn't really matter if you had different C class ip's for them.

-about the SOA's. Most cpanl servers run with theese settings(not many change them to be according to the RFC's) so it's ok.

-SPF. Well, i don't know any important mail server that rejects your email becose you don't have a SPF. It's good to have one when someone else sends email in your behalf, so you don't get your domain marked as a spam source.

Thank you for all the info, very well explained...For the open DNS I will try to find the solution, thanks again...and for the SPF, sorry for my ignorance but what is SPF? I really don't have a clue...

 

[jester.ro]

hmm, how come i replied to your post and got my answer on top of your question? hmmm, spooky things happen lately

 

[koolcards]

Sender Policy Framework (SPF)

this will create a record for you to paste into your DNS zone file:
http://www.openspf.org/wizard.html

 

[cchapoval]

I have different users in different Countries and also different States in the US.

With that in mind, do I have to create a SPF file for each location and/or each domain? My server has multiple domains.

Tks!

 

[koolcards]

the header envelope conatins the actual mail server sending the email, i.e., your server name. Doesn't matter what domains/customers have the right to relay their mail through the machine, the machine itself IS the mail server and the server domain needs the SPF1 record:

like:

myserverdomain.com => TXT record => "v=spf1 a mx ptr ?all"

your mail server domain acts as an "MX" mail record with PTR reverse for ? all on domains that machine, etc.

use that wizard and it will become clear ... after a while

 

[Spiral]

This is an easy one! Just setup a zone file template that plays
more happy with what http://www.dnsreport.com is expecting:

; cPanel %cpversion%
; Zone file for %domain%
$TTL %ttl%
@      %nsttl%	IN      SOA     %nameserver%. %rpemail%. (
		%serial%	; serial, todays date+todays
		7200		; refresh, seconds
		900		; retry, seconds
		1209600		; expire, seconds
		42300 )		; minimum, seconds

%domain%. %nsttl% IN NS %nameserver%.
%domain%. %nsttl% IN NS %nameserver2%.

%domain%. IN A %ip%
%domain%. IN MX 0 mail.%domain%.

localhost IN A 127.0.0.1
mail IN A %ip%
www IN A %ip%
ftp IN A %ip%

%domain%. IN TXT "v=spf1 ip4:%ip% a mx a:(hostname) mx:(hostname) mx:%domain% include:(hostname) ~all"

This is a basic zone file template that will take care of anything of any
significant importance in DNS report's warning messages.

You would still have the warning regarding your DNS server being
in the same Class C address space but that doesn't mean anything


IMPORTANT NOTE: Change "(hostname)" above with your server's hostname!


DNS templates are under setup under the "DNS functions" section in WHM

 

[asmar]

What about if you have a dns cluster? In that case is there a way to pickup automatically the hostname in order to benefit from the isp records automatically?

Thanks

 

[Xiode]

So would I add this to my zone file and update the template with this at the bottom?

%domain%. IN TXT "v=spf1 ip4:%ip% a mx a:core2.xiodehosting.com mx:core2.xiodehosting.com mx:%domain% include:core2.xiodehosting.com ~all"

how would I add this to domains already on the server....

 

[kistler]

anyway to run a command throughout all records to add an spf record if one does not exist on an account?