Open DNS Servers :: DNSReport Fix Script

shashank

Well-Known Member
PartnerNOC
Apr 12, 2003
159
1
168
cPanel Access Level
Root Administrator
Hello,

Many of you might have noticed the following error on the dnsreport for your domain.

ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are:

I have prepared a small code snippet which will help you to fix that error for all the domains on your server. Just wanted to share this with you all who have this issue. Beware that this code works for only cpanel servers. Following is the exact procedure. Be sure to take a backup of your named.conf for recouvery measures before hand.

1. Login to your server as root.

2. Wget and run the script as :

Code:
http://shashank.net/scripts/named.patch
sh named.patch
3. It will provide you with an output like :

Code:
allow-recursion {
127.0.0.1;
xxx.xxx.xxx.xxx;
xxx.xxx.xxx.xxx;
};
4. Copy and paste this code in the Options section of your named.conf. Something like :

Code:
options {
            options {
        directory "/var/named";
        allow-recursion {
        127.0.0.1;
        xxx.xxx.xxx;
        .... ....
        .... ....
};
};
5. Save named.conf and restart the named service. All all zones to load and check dns report now. The open nameservers warning no longer shows up. Hope it works fine for you. Any additions, corrections welcome.
 

HawkeVIPER

Member
Oct 19, 2004
12
0
151
Vps

Here's a modified version of shashank's script, for use with virtuozzo based VPS:

Code:
echo "allow-recursion {"
echo "127.0.0.1;"
for i in `ifconfig | grep venet0: -A 1| grep addr: | awk '{print $2}' | cut -d":" -f2`
do
echo $i\;
done
for a in `cat /etc/resolv.conf | tr -s " " " " | cut -d " " -f2 | grep -v \`/bin/hostname -i\``
do
echo $a\;
done
echo "};"
--HV
 

CoolMike

Well-Known Member
Sep 6, 2001
312
0
316
Hi

What's the reason to search for entries in the /etc/resolv.conf file? I have there only 2 IP's from my upstream DNS server. Is it not enough to list there the IP's which the server is using?

Just to be sure, the whole thing is, to protect your nameservers, that others are not able to use them. it's just for the own server, right?

Michael
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,466
31
473
Go on, have a guess

shashank

Well-Known Member
PartnerNOC
Apr 12, 2003
159
1
168
cPanel Access Level
Root Administrator
I tried this on two servers before writing the script. One of the server was not able to resolve any domains until I included the resolv.conf ips in the list of allow-recursions that is why I added those IPs. I am not sure why but I will try to find out when I get a chance.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,466
31
473
Go on, have a guess
That's because you have to list the IP that do need to do recursion lookups, or that will request transfer requests (e.g. slave DNS servers if used). Presumably those IP's that you have put in resolv.conf are local to the server.
 

Snowman30

Well-Known Member
PartnerNOC
Apr 7, 2002
679
0
316
cPanel Access Level
DataCenter Provider
Jonathon i edited named.conf as you suggested in another post

Code:
//acl "trusted" {
        11.22.33.44;
        44.33.22.11;
        66.55.44.33;
};

options {
	directory "/var/named";
	dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
	/*
	 * If there is a firewall between you and nameservers you want
	 * to talk to, you might need to uncomment the query-source
	 * directive below.  Previous versions of BIND always asked
	 * questions using port 53, but BIND 8.1 uses an unprivileged
	 * port by default.
	 */
	 // query-source address * port 53;
        version "not currently available";
        allow-recursion { trusted; };
        allow-notify { trusted; };
        allow-transfer { trusted; };
};
which you mentioned worked fine...

This closed up the open dns issue but Problem is now mail isnt being delivered to or from the server with unroutable domain errors

I know im missing somethign really obvious here but what is it?
 

manokiss

Well-Known Member
Mar 31, 2002
576
1
318
Wondering if you found a solution for this, also our Dc recommended add recursion no; but doing this exim is not resolving the domains.

No make sense have the allow-recursion with some ip´s when the recursion default is yes by default, so in the options above is the same as have recursion yes;

any idea?

thanx!
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,466
31
473
Go on, have a guess
Snowman30 said:
Jonathon i edited named.conf as you suggested in another post
which you mentioned worked fine...

This closed up the open dns issue but Problem is now mail isnt being delivered to or from the server with unroutable domain errors

I know im missing somethign really obvious here but what is it?
Did you definitely list the IP's you use for DNS lookups of your own server in the ACL. Your lookup IP's are listed in /etc/resolv.conf and any of those that are on your own server need to be listed - as well as 127.0.0.1
 

manokiss

Well-Known Member
Mar 31, 2002
576
1
318
hello chirpy, yes, i listed them, but once i add recursion no; in the options exim start failing with the unroutable domain error.

thanx!
 

anup123

Well-Known Member
Mar 29, 2004
890
1
168
This Planet

Ronny

Well-Known Member
Dec 27, 2002
63
0
156
It's recommmended to put your DC's outgoing resolvers in /etc/resolv.conf

If you have that in there instead of your own IPs, recursion no; will work.
 

Bdzzld

Well-Known Member
Apr 3, 2004
410
5
168
Hi,

I've successfully made all changes to the named.conf file and DNSreport reports there no Open DNS servers. I was wondering which IP-addresses should be in the :

Code:
acl "trusted" { ... };
part. Let's say I've a DNS cluster setup with the following IP-addresses :

[server 1 ]
main IP = 1.1.1.2
DNS1 = 1.1.1.3
DNS2 = 1.1.1.4
add. IP = 1.1.1.5

[server 2 ]
main IP = 2.2.2.1
DNS3 = 2.2.2.2
add. IP = 2.2.2.3
add. IP = 2.2.2.4

Question : Which IP-addresses should be used on server 1, server 2 or on both servers ?

Thanks.
 
Last edited:

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,466
31
473
Go on, have a guess
Bdzzld said:
Let's say I've a DNS cluster setup with the following IP-addresses :
IF you had an old master/slave DNS setup you would need to have the main IP addresses for each server listed in both. However, DNS clustering doesn't use the traditional master/slave setup (they're all masters) so you only need 127.0.0.1, plus any IP addresses listed in that local servers /etc/resolv.conf that resides on that same server.
 

DigiCrime

Well-Known Member
Nov 27, 2002
399
0
166
My question is why is this popping up all of a sudden ? Whats changed in the past few weeks ??
 

DigiCrime

Well-Known Member
Nov 27, 2002
399
0
166
Interesting.... I got a message from TPlanet about doing something about this, I didnt see anything on Cpanel forums about it so it must be rather new yet. I never thought to look over here after I made the changes, or even investigate but now that im seeing it on majority of other systems, kinda curious why all of a sudden :confused:
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,466
31
473
Go on, have a guess
I just wanted to add to me assertion above that you might have to list all IP's that you use as nameservers as well has resolvers in the trusted ACL.