Open DNS Servers :: DNSReport Fix Script

Vps

Here's a modified version of shashank's script, for use with virtuozzo based VPS:

Code:

echo "allow-recursion {"
echo "127.0.0.1;"
for i in `ifconfig | grep venet0: -A 1| grep addr: | awk '{print $2}' | cut -d":" -f2`
do
echo $i\;
done
for a in `cat /etc/resolv.conf | tr -s " " " " | cut -d " " -f2 | grep -v \`/bin/hostname -i\``
do
echo $a\;
done
echo "};"

--HV

 

Hi

What's the reason to search for entries in the /etc/resolv.conf file? I have there only 2 IP's from my upstream DNS server. Is it not enough to list there the IP's which the server is using?

Just to be sure, the whole thing is, to protect your nameservers, that others are not able to use them. it's just for the own server, right?

Michael

 

I don't understand why you're messing around with resolv.conf it has anything whatsoever to do with the issue of DNS server recursion.

All you need do is has been posted many a time before:
http://forums.cpanel.net/showthread.php?t=15922

In summary:
http://forums.cpanel.net/showpost.php?p=217540&postcount=27

 

That's because you have to list the IP that do need to do recursion lookups, or that will request transfer requests (e.g. slave DNS servers if used). Presumably those IP's that you have put in resolv.conf are local to the server.

 

Jonathon i edited named.conf as you suggested in another post

Code:

//acl "trusted" {
        11.22.33.44;
        44.33.22.11;
        66.55.44.33;
};

options {
	directory "/var/named";
	dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
	/*
	 * If there is a firewall between you and nameservers you want
	 * to talk to, you might need to uncomment the query-source
	 * directive below.  Previous versions of BIND always asked
	 * questions using port 53, but BIND 8.1 uses an unprivileged
	 * port by default.
	 */
	 // query-source address * port 53;
        version "not currently available";
        allow-recursion { trusted; };
        allow-notify { trusted; };
        allow-transfer { trusted; };
};

which you mentioned worked fine...

This closed up the open dns issue but Problem is now mail isnt being delivered to or from the server with unroutable domain errors

I know im missing somethign really obvious here but what is it?

 

Wondering if you found a solution for this, also our Dc recommended add recursion no; but doing this exim is not resolving the domains.

No make sense have the allow-recursion with some ip´s when the recursion default is yes by default, so in the options above is the same as have recursion yes;

any idea?

thanx!

 

Did you definitely list the IP's you use for DNS lookups of your own server in the ACL. Your lookup IP's are listed in /etc/resolv.conf and any of those that are on your own server need to be listed - as well as 127.0.0.1

 

hello chirpy, yes, i listed them, but once i add recursion no; in the options exim start failing with the unroutable domain error.

thanx!

 

Would it be necessary to blackhole BOGON IP's in named.conf or it would be an overkill?

TIA
Anup

 

It's recommmended to put your DC's outgoing resolvers in /etc/resolv.conf

If you have that in there instead of your own IPs, recursion no; will work.

 

Hi,

I've successfully made all changes to the named.conf file and DNSreport reports there no Open DNS servers. I was wondering which IP-addresses should be in the :

Code:

acl "trusted" { ... };

part. Let's say I've a DNS cluster setup with the following IP-addresses :

[server 1 ]
main IP = 1.1.1.2
DNS1 = 1.1.1.3
DNS2 = 1.1.1.4
add. IP = 1.1.1.5

[server 2 ]
main IP = 2.2.2.1
DNS3 = 2.2.2.2
add. IP = 2.2.2.3
add. IP = 2.2.2.4

Question : Which IP-addresses should be used on server 1, server 2 or on both servers ?

Thanks.

 

Probably overkill, since you're blocking everything but your own servers IP's.

 

IF you had an old master/slave DNS setup you would need to have the main IP addresses for each server listed in both. However, DNS clustering doesn't use the traditional master/slave setup (they're all masters) so you only need 127.0.0.1, plus any IP addresses listed in that local servers /etc/resolv.conf that resides on that same server.

 

My question is why is this popping up all of a sudden ? Whats changed in the past few weeks ??

 

Apparently changes have taken place at dnsreport.com
they have added this test to their report.
cpanel.net is also reported to have open dns servers
http://dnsreport.com/tools/dnsreport.ch?domain=cpanel.net
at the time of writing this message

Anup

 

Interesting.... I got a message from TPlanet about doing something about this, I didnt see anything on Cpanel forums about it so it must be rather new yet. I never thought to look over here after I made the changes, or even investigate but now that im seeing it on majority of other systems, kinda curious why all of a sudden

 

I just wanted to add to me assertion above that you might have to list all IP's that you use as nameservers as well has resolvers in the trusted ACL.