dns server recursive lookups bad?

djmerlyn

Well-Known Member
Aug 31, 2004
201
1
168
Wait, I see now...you turn that on and you can't send mail to places like yahoo, aol, msn...

So, back to where we started I suppose... Does this mean that in order to send email out to these places, I also need to allow there IP's recursion? I can't see how adding my own IP's to the allowed list will make these remote sites accessable via email.

Or do these providers need to stop doing recursive lookups on email sent to them...hmm...

Curious...it seems like a wicked loop that anyone can get lost in...
 

Jeff-C

Well-Known Member
Mar 16, 2004
116
0
166
Adding your own server IP's to the recursion-allowed list will allow you to send mail to anywhere as before.
 

djmerlyn

Well-Known Member
Aug 31, 2004
201
1
168
But I was under the impression that these remote mail folks did recursive lookups and if it fails they bounce it?

The reverse DNS thing with AOL stands out at me right up front...

I understand putting in the local IP's will resolve:

unrouteable mail domain "yahoo.com"

But so now that its routable, what is yahoo or AOL going to think about it when looking backwards (in reverse)...

Thanks for helping end the confusion ;)
 

widesurf

Member
Apr 20, 2006
7
0
151
How to open name.conf

Hello,

Could anyone tell me how I actually get into (or open) named.conf ?
I know it's located in the etc/ folder.

I assume you are using SSH/Shell Access in cpanel?
I've tried to enter "vi named.conf", but there are no info displayed.

Could anyone shead some light on this.

Thanks in advance,

Oddvin
 

widesurf

Member
Apr 20, 2006
7
0
151
named.conf

I was Finally able to edit named.conf and After I made
the change dnsreport.com stated PASS on Open DNS servers ;)

However, my server monitoring stated DNS : This test failed!

Here's how my named.conf looked like :


options {
directory "/var/named";
allow-recursion { 127.0.0.1; 69.10.154.129; 69.10.154.130; };
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;



Do anyone have any idea what could be wrong ?

Oddvin
DirectNetMarketing.com
 

widesurf

Member
Apr 20, 2006
7
0
151
Thanks

I finally guessed that was the reason and it's good to have it answered here ;)

However, (don't know if this matters), but when restarting DNS server (Named)
it says:

loading configuration from '/etc/named.conf' Apr 23 11:35:06 server named[25341]: no IPv6 interfaces found Apr 23 11:35:06 server named[25341]:

Should I worry :eek:


Thanks for your outstanding support on this forum !

Oddvin
 

easyhoster1

Well-Known Member
Sep 25, 2003
659
0
166
widesurf said:
I finally guessed that was the reason and it's good to have it answered here ;)

However, (don't know if this matters), but when restarting DNS server (Named)
it says:

loading configuration from '/etc/named.conf' Apr 23 11:35:06 server named[25341]: no IPv6 interfaces found Apr 23 11:35:06 server named[25341]:

Should I worry :eek:


Thanks for your outstanding support on this forum !

Oddvin
No, no need to worry, that is for IP version 6 which will someday include six sets of octets numbers 123.345.678.2.3 because IP version 4 is running out of available octets.
 
Last edited:

jackie46

BANNED
Jul 25, 2005
537
0
166
sawbuck said:
In addition to 127.0.0.1 that line should include all IPs on the server plus other IPs that you want to allow recursion.

ACLs are another way to handle this.
http://www.net.cmu.edu/groups/netdev/docs/bind9/Bv9ARM.ch07.html

For instance we use this type of config:
acl "trusted" {
"main server IP";
127.0.0.1;
"name server IP";
"name server IP";
"additional secondary name server IP;
"and so on";

};
options {
directory "/var/named";
version "not currently available";
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };
};
From my personal experience, this setup if far from perfect and we have seen far too many issues with this setup. For eg, once this is implamented there will be a noticable increase in the dreaded "UNROUTABLE DOMAIN" issue in the mail logs. We tested one of our servers using this setup and within 2 weeks every single messages being sent to the server was reporting an unroutable issue, obviously DNS releated. Once we restored our backup all the problems went away. So i suggest that if you imlament this modificaiton that you watch your maillog carefully!!!
 
Last edited: