The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

dns server recursive lookups bad?

Discussion in 'Bind / DNS / Nameserver Issues' started by Jeff-C, Mar 2, 2006.

  1. Jeff-C

    Jeff-C Well-Known Member

    Joined:
    Mar 16, 2004
    Messages:
    117
    Likes Received:
    0
    Trophy Points:
    16
    DNS report reports:

    Test Name:
    Open DNS servers

    Status:
    Fail

    ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it. This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are:

    Server x.x.x.1. reports that it will do recursive lookups.
    Server x.x.x.2. reports that it will do recursive lookups.
    Server x.x.x.3. reports that it will do recursive lookups.

    I believe this used to be listed as a warning since I setup my cpanel server two years ago but I never thought much of it. Now that they have changed the status to fail I assume they are aware of real-world problems caused by it more than just a tiny tiny bit of load.

    1.) is setting named to allow recursive lookups the default for cpanel? Or have I done something wrong.

    2.) are people following dnsreport.com's advice now and turning recursive lookups off so cpanel dns will only reply for domains specifically hosted by our servers?

    2.) how would this be done?
     
  2. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
  3. Jeff-C

    Jeff-C Well-Known Member

    Joined:
    Mar 16, 2004
    Messages:
    117
    Likes Received:
    0
    Trophy Points:
    16
    So what is the correct way to turn off recursion without breaking anything on a whm/cpanel server?

    Is this the correct thing to add to the named.conf

    options {
    allow-recursion { 127.0.0.1; xxx.xxx.xxx.xxx; };
    };

    with xxx.xxx.xxx.xxx the server's primary IP used for exim?
     
  4. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    In addition to 127.0.0.1 that line should include all IPs on the server plus other IPs that you want to allow recursion.

    ACLs are another way to handle this.
    http://www.net.cmu.edu/groups/netdev/docs/bind9/Bv9ARM.ch07.html

    For instance we use this type of config:
    acl "trusted" {
    "main server IP";
    127.0.0.1;
    "name server IP";
    "name server IP";
    "additional secondary name server IP;
    "and so on";

    };
    options {
    directory "/var/named";
    version "not currently available";
    allow-recursion { trusted; };
    allow-notify { trusted; };
    allow-transfer { trusted; };
    };
     
    #4 sawbuck, Mar 2, 2006
    Last edited: Mar 2, 2006
  5. Jeff-C

    Jeff-C Well-Known Member

    Joined:
    Mar 16, 2004
    Messages:
    117
    Likes Received:
    0
    Trophy Points:
    16
    Thank you very very much. Works like a charm and is a nice and neat solution. Many thanks.
     
  6. fdesign

    fdesign Member

    Joined:
    Oct 7, 2003
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    I just noticed the same thing when I was performing a DNS check on one of my domains.


    Sawbuck

    The example config you provided...is that intended for named.conf or is it for another file?

    Also, I'm assuming it would go before everything else.
     
  7. Jeff-C

    Jeff-C Well-Known Member

    Joined:
    Mar 16, 2004
    Messages:
    117
    Likes Received:
    0
    Trophy Points:
    16
    I used the above code in /etc/named.conf (without the quotes in the acl section)
     
    #7 Jeff-C, Mar 3, 2006
    Last edited: Mar 3, 2006
  8. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    As Jeff-C said and before the domain entries.
     
  9. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    Hi,

    I've tried this and have a couple questions...

    I built up a couple ACLs using sawbuck's example as well as some of the info at the link he provided. These are the ACLs...

    // Set up an ACL named bogusnets that will block RFC1918 space,
    // which is commonly used in spoofing attacks.
    acl bogusnets {
    0.0.0.0/8;
    1.0.0.0/8;
    2.0.0.0/8;
    192.0.2.0/24;
    224.0.0.0/3;
    10.0.0.0/8;
    172.16.0.0/12;
    192.168.0.0/16;
    };

    // Set up an ACL named trusted that includes our IPs as well as those
    // for our providers back-up nameservers
    acl trusted {
    127.0.0.1;
    xx.xx.xxx.xx; // my IPs
    xx.xx.xxx.xx;
    xx.xx.xxx.xx;
    xx.xx.xxx.xx; // some IPs for my DC back-up DNS server
    xx.xx.xxx.xx;
    };

    Then I added these lines to my options statement

    options {
    directory "/var/named";
    // the next 6 directives added by verdon see above
    version "not currently available";
    allow-recursion { trusted; };
    allow-notify { trusted; };
    allow-transfer { trusted; };
    blackhole { bogusnets; };
    allow-query { trusted; };
    };

    Although this stuff seems to work, I notice a couple things...
    1) DNSreports is now saying my primary nameserver (on my primary IP) is LAME. If I comment out the new options and re-start BIND, the LAME nameserver error goes away

    2) when I restart BIND there are immediately a number of failed queries such as;
    client 211.78.130.2#41775: query 'domain.com/IN' denied Mar 3 11:47:30 rhythm named[10672]:
    The IP 211.78.130.2 routes to ns2.sparqnet.net which seems to be a hosting company in Taiwan. Is blocking this a good thing?

    Basically, I guess I'm asking, am I blocking too much with my additions to named.conf? Are there any thoughts about how to keep the recursive look-ups private without getting the lame nameserver error? Are the issues related?

    Thanks :)
     
  10. Stefaans

    Stefaans Well-Known Member

    Joined:
    Mar 5, 2002
    Messages:
    451
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Vancouver, Canada
    Thanks all, this is very useful info.

    Verdon, bearing in mind that I am not the Bind expert here, I wonder if your allow-query { trusted; }; entry is not too restrictive. Does that not block all queries from outside?
     
  11. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    LOL, me neither!

    Yes, I believe that it would. I guess that I'm just wondering out loud, which outside queries I would want to allow? I was working from the example here
    http://www.net.cmu.edu/groups/netdev/docs/bind9/Bv9ARM.ch07.html
     
  12. ryan.overton

    ryan.overton Active Member

    Joined:
    Mar 3, 2006
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    does it matter where in named.conf this is placed?


     
  13. Jeff-C

    Jeff-C Well-Known Member

    Joined:
    Mar 16, 2004
    Messages:
    117
    Likes Received:
    0
    Trophy Points:
    16
    That's the only thing I see different between yours and mine - I did not restrict queries - only transfer, notify, and recursive
     
  14. Jeff-C

    Jeff-C Well-Known Member

    Joined:
    Mar 16, 2004
    Messages:
    117
    Likes Received:
    0
    Trophy Points:
    16
    I placed the acl definitions right above my options sections and do not have a problem.
     
  15. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
  16. wptechno

    wptechno Active Member

    Joined:
    Jun 10, 2004
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Hey guys,

    I've been working on this and now my named service won't restart. I even put named.conf back to its original state and now it just won't restart.

    and now dnsreports is just giving me all kinds of errors. It think the fixes will work if I can get it restarted. Any help would be great.
     
  17. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    It is difficult to say, without looking into your server and see what you did to cause all these problems. sawbuck and Jeff-C gave good info on how to get the recursive feature up and running.
     
  18. wptechno

    wptechno Active Member

    Joined:
    Jun 10, 2004
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    I used Configuration File Rollback in whm (awesome feature by the way!) and it took some time but everything restarted correctly. Still have the dns issue though, so I'm just going to have someone do it for me. Thanks for your time.
     
  19. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
  20. djmerlyn

    djmerlyn Well-Known Member

    Joined:
    Aug 31, 2004
    Messages:
    203
    Likes Received:
    1
    Trophy Points:
    16
    I'm just curious with the glorification of code...could something quite simple be missing?

    I wonder, why isn't this adequet?

    options {
    directory "/var/named";
    recursion no;
    };

    I'm not sure what the side effects are just yet, haven't seen any problems or had anything "funky" reported. It causes reports to pass...

    This is in a 10 server cluster using 2 servers ns1 on 1 and ns2 on 2...all other servers use these 2 servers for DNS.

    Just curious about long term problems? And what exactly is the reason for having all those IP's on the list of allowed rather then simply dis-allowing recursion?

    Does a server on the Cpanel cluster really need recursion? It was my impression that the DNS record is served from the main server and so long as everything resolves...we're golden.

    I'm just wondering if in all the code in all the threads about this if something blatently simple was passed over, or if I'm going to be facing "montazumas revenge" any moment now...
     
Loading...

Share This Page