The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

how to disable open dns resolver in cpanel.

Discussion in 'Security' started by imran_khan, Sep 2, 2013.

  1. imran_khan

    imran_khan Well-Known Member

    Joined:
    Jun 10, 2013
    Messages:
    154
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hello,

    My DNS server IP is blacklisted in RBL. So I have checked and found that , open dns resolver is enabled in my server.

    #cat /var/named/chroot/etc/named.conf | grep recursion
    recursion yes;
    recursion yes;
    recursion no;
    // you'd probably want to deny recursion to external clients, so you don't

    I want to disable this setting permanently for whitelist my DNS server.
    I am little bit confused in which recursion option should be disabled? Please let me know.

    ---------------------------
    view "localhost_resolver" {
    /* This view sets up named to be a localhost resolver ( caching only nameserver ).
    * If all you want is a caching-only nameserver, then you need only define this view:
    */
    match-clients { 127.0.0.0/24; };
    match-destinations { localhost; };
    recursion yes;
    ------------------------------------
    view "internal" {
    /* This view will contain zones you want to serve only to "internal" clients
    that connect via your directly attached LAN interfaces - "localnets" .
    */
    match-clients { localnets; };
    match-destinations { localnets; };
    recursion yes;
    --------------------------------------
    view "external" {
    /* This view will contain zones you want to serve only to "external" clients
    * that have addresses that are not on your directly attached LAN interface subnets:
    */
    recursion no;
    // you'd probably want to deny recursion to external clients, so you don't
    // end up providing free DNS service to all takers
    --------------------------------------

    Thanks,
    Imran Khan.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Those are the default settings for the /etc/named.conf file with cPanel. It's the external view where you should ensure recursion is denied for external clients.

    Thank you.
     
  3. imran_khan

    imran_khan Well-Known Member

    Joined:
    Jun 10, 2013
    Messages:
    154
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hello Michael,

    Thanks for the reply. I have already set recursion no; in view "external" section but my server is resolving external domain from the server.
    So is recursion disabled or not for me. Please see the output.

    # dig redhat.com @ns2.example.com

    ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 <<>> redhat.com @ns2.example.com
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33248
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;redhat.com. IN A

    ;; ANSWER SECTION:
    redhat.com. 60 IN A 209.132.183.181

    ;; AUTHORITY SECTION:
    redhat.com. 600 IN NS ns2.redhat.com.
    redhat.com. 600 IN NS ns3.redhat.com.
    redhat.com. 600 IN NS ns4.redhat.com.
    redhat.com. 600 IN NS ns1.redhat.com.

    ;; Query time: 785 msec
    ;; SERVER: 10.10.10.10#53(10.10.10.10)
    ;; WHEN: Mon Sep 2 14:47:16 2013
    ;; MSG SIZE rcvd: 116

    where,
    ns2.example.com is my DNS server name.
    10.10.10.10 is my DNS server IP.

    Thanks,
    Imran Khan.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  5. imran_khan

    imran_khan Well-Known Member

    Joined:
    Jun 10, 2013
    Messages:
    154
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hello,

    From the NS2 server only.

    Thanks,
    Imran Khan.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You will need to run that command from a remote server or your local computer to get an accurate result. You will not be denied access if you are making the request from the local server.

    Thank you.
     
  7. imran_khan

    imran_khan Well-Known Member

    Joined:
    Jun 10, 2013
    Messages:
    154
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hello Michael,

    I have checked from the remote server. Please find the out put form the same.

    # dig redhat.com @ns2.example.com

    ; <<>> DiG 9.3.4-P1 <<>> redhat.com @ns2.example.com
    ; (1 server found)
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9956
    ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;redhat.com. IN A

    ;; AUTHORITY SECTION:
    com. 169548 IN NS i.gtld-servers.net.
    com. 169548 IN NS j.gtld-servers.net.
    com. 169548 IN NS k.gtld-servers.net.
    com. 169548 IN NS l.gtld-servers.net.
    com. 169548 IN NS m.gtld-servers.net.
    com. 169548 IN NS a.gtld-servers.net.
    com. 169548 IN NS b.gtld-servers.net.
    com. 169548 IN NS c.gtld-servers.net.
    com. 169548 IN NS d.gtld-servers.net.
    com. 169548 IN NS e.gtld-servers.net.
    com. 169548 IN NS f.gtld-servers.net.
    com. 169548 IN NS g.gtld-servers.net.
    com. 169548 IN NS h.gtld-servers.net.

    ;; Query time: 26 msec
    ;; SERVER: 10.10.10.10#53(10.10.10.10)
    ;; WHEN: Mon Sep 2 15:43:25 2013
    ;; MSG SIZE rcvd: 252

    Thanks,
    Imran Khan.
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Yes, notice the difference between:

    Code:
    ;; ANSWER SECTION:
    redhat.com. 60 IN A 209.132.183.181
    
    And:

    Code:
    ;; QUESTION SECTION:
    ;redhat.com. IN A
    As you can see, you can not determine the IP address with the second output you pasted.

    Thank you.
     
  9. imran_khan

    imran_khan Well-Known Member

    Joined:
    Jun 10, 2013
    Messages:
    154
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hello Michael,

    Thanks. This mean my DNS server is not configured as open dns resolver?
    Please let me know, the cause of DNS server IP blacklisting RBL?

    Thanks,
    Imran Khan.
     
  10. imran_khan

    imran_khan Well-Known Member

    Joined:
    Jun 10, 2013
    Messages:
    154
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hello,

    My DNS server showing blacklisted in Nagios system but when it checked from the various web site and showing this ip is not listed. Please suggest me on the same.

    CHECK_RBL CRITICAL - (3 servers timed out: spamguard.leadmon.net, bhnc.njabl.org, bl.technovision.dk) (dnsbl.solid.net)

    Thanks,
    Imran Khan.
     
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You would have to contact the administrators of those lists to determine why your IP address may or may not be listed. Or, if you only notice the issue with Nagios, check with Nagios support to see why that is.

    Thank you.
     
  12. imran_khan

    imran_khan Well-Known Member

    Joined:
    Jun 10, 2013
    Messages:
    154
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hello Michael,

    Correct. My server is not blacklisted, getting server time out error with RBL list domains.
    I have removed dnsbl.solid.net domain from the check_rbl command definition after that this error gone from the Nagios system.

    Thanks,
    Imran Khan.
     
Loading...

Share This Page