how to disable open dns resolver in cpanel.

[imran_khan]

Hello,

My DNS server IP is blacklisted in RBL. So I have checked and found that , open dns resolver is enabled in my server.

#cat /var/named/chroot/etc/named.conf | grep recursion
recursion yes;
recursion yes;
recursion no;
// you'd probably want to deny recursion to external clients, so you don't

I want to disable this setting permanently for whitelist my DNS server.
I am little bit confused in which recursion option should be disabled? Please let me know.

---------------------------
view "localhost_resolver" {
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
* If all you want is a caching-only nameserver, then you need only define this view:
*/
match-clients { 127.0.0.0/24; };
match-destinations { localhost; };
recursion yes;
------------------------------------
view "internal" {
/* This view will contain zones you want to serve only to "internal" clients
that connect via your directly attached LAN interfaces - "localnets" .
*/
match-clients { localnets; };
match-destinations { localnets; };
recursion yes;
--------------------------------------
view "external" {
/* This view will contain zones you want to serve only to "external" clients
* that have addresses that are not on your directly attached LAN interface subnets:
*/
recursion no;
// you'd probably want to deny recursion to external clients, so you don't
// end up providing free DNS service to all takers
--------------------------------------

Thanks,
Imran Khan.

 

[cPanelMichael]

Hello

Those are the default settings for the /etc/named.conf file with cPanel. It's the external view where you should ensure recursion is denied for external clients.

Thank you.

 

[imran_khan]

Hello Michael,

Thanks for the reply. I have already set recursion no; in view "external" section but my server is resolving external domain from the server.
So is recursion disabled or not for me. Please see the output.

# dig redhat.com @ns2.example.com

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 <<>> redhat.com @ns2.example.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33248
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;redhat.com. IN A

;; ANSWER SECTION:
redhat.com. 60 IN A 209.132.183.181

;; AUTHORITY SECTION:
redhat.com. 600 IN NS ns2.redhat.com.
redhat.com. 600 IN NS ns3.redhat.com.
redhat.com. 600 IN NS ns4.redhat.com.
redhat.com. 600 IN NS ns1.redhat.com.

;; Query time: 785 msec
;; SERVER: 10.10.10.10#53(10.10.10.10)
;; WHEN: Mon Sep 2 14:47:16 2013
;; MSG SIZE rcvd: 116

where,
ns2.example.com is my DNS server name.
10.10.10.10 is my DNS server IP.

Thanks,
Imran Khan.

 

[cPanelMichael]

Are you running the dig command from the NS2 server, or from another remote machine?

Thank you.

 

[imran_khan]

Hello,

From the NS2 server only.

Thanks,
Imran Khan.

 

[cPanelMichael]

You will need to run that command from a remote server or your local computer to get an accurate result. You will not be denied access if you are making the request from the local server.

Thank you.

 

[imran_khan]

Hello Michael,

I have checked from the remote server. Please find the out put form the same.

# dig redhat.com @ns2.example.com

; <<>> DiG 9.3.4-P1 <<>> redhat.com @ns2.example.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9956
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;redhat.com. IN A

;; AUTHORITY SECTION:
com. 169548 IN NS i.gtld-servers.net.
com. 169548 IN NS j.gtld-servers.net.
com. 169548 IN NS k.gtld-servers.net.
com. 169548 IN NS l.gtld-servers.net.
com. 169548 IN NS m.gtld-servers.net.
com. 169548 IN NS a.gtld-servers.net.
com. 169548 IN NS b.gtld-servers.net.
com. 169548 IN NS c.gtld-servers.net.
com. 169548 IN NS d.gtld-servers.net.
com. 169548 IN NS e.gtld-servers.net.
com. 169548 IN NS f.gtld-servers.net.
com. 169548 IN NS g.gtld-servers.net.
com. 169548 IN NS h.gtld-servers.net.

;; Query time: 26 msec
;; SERVER: 10.10.10.10#53(10.10.10.10)
;; WHEN: Mon Sep 2 15:43:25 2013
;; MSG SIZE rcvd: 252

Thanks,
Imran Khan.

 

[cPanelMichael]

Yes, notice the difference between:

;; ANSWER SECTION:
redhat.com. 60 IN A 209.132.183.181

And:

;; QUESTION SECTION:
;redhat.com. IN A

As you can see, you can not determine the IP address with the second output you pasted.

Thank you.

 

[imran_khan]

Hello Michael,

Thanks. This mean my DNS server is not configured as open dns resolver?
Please let me know, the cause of DNS server IP blacklisting RBL?

Thanks,
Imran Khan.

 

[imran_khan]

Hello,

My DNS server showing blacklisted in Nagios system but when it checked from the various web site and showing this ip is not listed. Please suggest me on the same.

CHECK_RBL CRITICAL - (3 servers timed out: spamguard.leadmon.net, bhnc.njabl.org, bl.technovision.dk) (dnsbl.solid.net)

Thanks,
Imran Khan.

 

[cPanelMichael]

You would have to contact the administrators of those lists to determine why your IP address may or may not be listed. Or, if you only notice the issue with Nagios, check with Nagios support to see why that is.

Thank you.

 

[imran_khan]

Hello Michael,

Correct. My server is not blacklisted, getting server time out error with RBL list domains.
I have removed dnsbl.solid.net domain from the check_rbl command definition after that this error gone from the Nagios system.

Thanks,
Imran Khan.