Open DNS Servers :: DNSReport Fix Script

[shashank]

Hello,

Many of you might have noticed the following error on the dnsreport for your domain.

ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are:

I have prepared a small code snippet which will help you to fix that error for all the domains on your server. Just wanted to share this with you all who have this issue. Beware that this code works for only cpanel servers. Following is the exact procedure. Be sure to take a backup of your named.conf for recouvery measures before hand.

1. Login to your server as root.

2. Wget and run the script as :

http://shashank.net/scripts/named.patch
sh named.patch

3. It will provide you with an output like :

allow-recursion {
127.0.0.1;
xxx.xxx.xxx.xxx;
xxx.xxx.xxx.xxx;
};

4. Copy and paste this code in the Options section of your named.conf. Something like :

options {
            options {
        directory "/var/named";
        allow-recursion {
        127.0.0.1;
        xxx.xxx.xxx;
        .... ....
        .... ....
};
};

5. Save named.conf and restart the named service. All all zones to load and check dns report now. The open nameservers warning no longer shows up. Hope it works fine for you. Any additions, corrections welcome.

 

[HawkeVIPER]

Vps

Here's a modified version of shashank's script, for use with virtuozzo based VPS:

echo "allow-recursion {"
echo "127.0.0.1;"
for i in `ifconfig | grep venet0: -A 1| grep addr: | awk '{print $2}' | cut -d":" -f2`
do
echo $i\;
done
for a in `cat /etc/resolv.conf | tr -s " " " " | cut -d " " -f2 | grep -v \`/bin/hostname -i\``
do
echo $a\;
done
echo "};"

--HV

 

[shashank]

thanks HawkeVIPER

 

[CoolMike]

Hi

What's the reason to search for entries in the /etc/resolv.conf file? I have there only 2 IP's from my upstream DNS server. Is it not enough to list there the IP's which the server is using?

Just to be sure, the whole thing is, to protect your nameservers, that others are not able to use them. it's just for the own server, right?

Michael

 

[chirpy]

I don't understand why you're messing around with resolv.conf it has anything whatsoever to do with the issue of DNS server recursion.

All you need do is has been posted many a time before:
http://forums.cpanel.net/showthread.php?t=15922

In summary:
http://forums.cpanel.net/showpost.php?p=217540&postcount=27

 

[shashank]

I tried this on two servers before writing the script. One of the server was not able to resolve any domains until I included the resolv.conf ips in the list of allow-recursions that is why I added those IPs. I am not sure why but I will try to find out when I get a chance.

 

[chirpy]

That's because you have to list the IP that do need to do recursion lookups, or that will request transfer requests (e.g. slave DNS servers if used). Presumably those IP's that you have put in resolv.conf are local to the server.

 

[Snowman30]

Jonathon i edited named.conf as you suggested in another post

//acl "trusted" {
        11.22.33.44;
        44.33.22.11;
        66.55.44.33;
};

options {
	directory "/var/named";
	dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
	/*
	 * If there is a firewall between you and nameservers you want
	 * to talk to, you might need to uncomment the query-source
	 * directive below.  Previous versions of BIND always asked
	 * questions using port 53, but BIND 8.1 uses an unprivileged
	 * port by default.
	 */
	 // query-source address * port 53;
        version "not currently available";
        allow-recursion { trusted; };
        allow-notify { trusted; };
        allow-transfer { trusted; };
};

which you mentioned worked fine...

This closed up the open dns issue but Problem is now mail isnt being delivered to or from the server with unroutable domain errors

I know im missing somethign really obvious here but what is it?

 

[manokiss]

Wondering if you found a solution for this, also our Dc recommended add recursion no; but doing this exim is not resolving the domains.

No make sense have the allow-recursion with some ip´s when the recursion default is yes by default, so in the options above is the same as have recursion yes;

any idea?

thanx!

 

[chirpy]

Jonathon i edited named.conf as you suggested in another post
which you mentioned worked fine...

This closed up the open dns issue but Problem is now mail isnt being delivered to or from the server with unroutable domain errors

I know im missing somethign really obvious here but what is it?

Did you definitely list the IP's you use for DNS lookups of your own server in the ACL. Your lookup IP's are listed in /etc/resolv.conf and any of those that are on your own server need to be listed - as well as 127.0.0.1

 

[manokiss]

hello chirpy, yes, i listed them, but once i add recursion no; in the options exim start failing with the unroutable domain error.

thanx!

 

[anup123]

I don't understand why you're messing around with resolv.conf it has anything whatsoever to do with the issue of DNS server recursion.

All you need do is has been posted many a time before:
http://forums.cpanel.net/showthread.php?t=15922

In summary:
http://forums.cpanel.net/showpost.php?p=217540&postcount=27

Would it be necessary to blackhole BOGON IP's in named.conf or it would be an overkill?

TIA
Anup

 

[Ronny]

It's recommmended to put your DC's outgoing resolvers in /etc/resolv.conf

If you have that in there instead of your own IPs, recursion no; will work.

 

[Bdzzld]

Hi,

I've successfully made all changes to the named.conf file and DNSreport reports there no Open DNS servers. I was wondering which IP-addresses should be in the :

acl "trusted" { ... };

part. Let's say I've a DNS cluster setup with the following IP-addresses :

[server 1 ]
main IP = 1.1.1.2
DNS1 = 1.1.1.3
DNS2 = 1.1.1.4
add. IP = 1.1.1.5

[server 2 ]
main IP = 2.2.2.1
DNS3 = 2.2.2.2
add. IP = 2.2.2.3
add. IP = 2.2.2.4

Question : Which IP-addresses should be used on server 1, server 2 or on both servers ?

Thanks.

 

[chirpy]

Would it be necessary to blackhole BOGON IP's in named.conf or it would be an overkill?

Probably overkill, since you're blocking everything but your own servers IP's.

 

[chirpy]

Let's say I've a DNS cluster setup with the following IP-addresses :

IF you had an old master/slave DNS setup you would need to have the main IP addresses for each server listed in both. However, DNS clustering doesn't use the traditional master/slave setup (they're all masters) so you only need 127.0.0.1, plus any IP addresses listed in that local servers /etc/resolv.conf that resides on that same server.

 

[DigiCrime]

My question is why is this popping up all of a sudden ? Whats changed in the past few weeks ??

 

[anup123]

Apparently changes have taken place at dnsreport.com
they have added this test to their report.
cpanel.net is also reported to have open dns servers
http://dnsreport.com/tools/dnsreport.ch?domain=cpanel.net
at the time of writing this message

Anup

 

[DigiCrime]

Interesting.... I got a message from TPlanet about doing something about this, I didnt see anything on Cpanel forums about it so it must be rather new yet. I never thought to look over here after I made the changes, or even investigate but now that im seeing it on majority of other systems, kinda curious why all of a sudden

 

[chirpy]

I just wanted to add to me assertion above that you might have to list all IP's that you use as nameservers as well has resolvers in the trusted ACL.