The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Open DNS Servers :: DNSReport Fix Script

Discussion in 'Bind / DNS / Nameserver Issues' started by shashank, Mar 3, 2006.

  1. shashank

    shashank Well-Known Member
    PartnerNOC

    Joined:
    Apr 12, 2003
    Messages:
    159
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Hello,

    Many of you might have noticed the following error on the dnsreport for your domain.

    ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are:

    I have prepared a small code snippet which will help you to fix that error for all the domains on your server. Just wanted to share this with you all who have this issue. Beware that this code works for only cpanel servers. Following is the exact procedure. Be sure to take a backup of your named.conf for recouvery measures before hand.

    1. Login to your server as root.

    2. Wget and run the script as :

    Code:
    http://shashank.net/scripts/named.patch
    sh named.patch
    
    3. It will provide you with an output like :

    Code:
    allow-recursion {
    127.0.0.1;
    xxx.xxx.xxx.xxx;
    xxx.xxx.xxx.xxx;
    };
    
    4. Copy and paste this code in the Options section of your named.conf. Something like :

    Code:
    options {
                options {
            directory "/var/named";
            allow-recursion {
            127.0.0.1;
            xxx.xxx.xxx;
            .... ....
            .... ....
    };
    };
    
    5. Save named.conf and restart the named service. All all zones to load and check dns report now. The open nameservers warning no longer shows up. Hope it works fine for you. Any additions, corrections welcome.
     
  2. HawkeVIPER

    HawkeVIPER Member

    Joined:
    Oct 19, 2004
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Vps

    Here's a modified version of shashank's script, for use with virtuozzo based VPS:

    Code:
    echo "allow-recursion {"
    echo "127.0.0.1;"
    for i in `ifconfig | grep venet0: -A 1| grep addr: | awk '{print $2}' | cut -d":" -f2`
    do
    echo $i\;
    done
    for a in `cat /etc/resolv.conf | tr -s " " " " | cut -d " " -f2 | grep -v \`/bin/hostname -i\``
    do
    echo $a\;
    done
    echo "};"
    
    --HV
     
  3. shashank

    shashank Well-Known Member
    PartnerNOC

    Joined:
    Apr 12, 2003
    Messages:
    159
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    thanks HawkeVIPER :)
     
  4. CoolMike

    CoolMike Well-Known Member

    Joined:
    Sep 6, 2001
    Messages:
    307
    Likes Received:
    0
    Trophy Points:
    16
    Hi

    What's the reason to search for entries in the /etc/resolv.conf file? I have there only 2 IP's from my upstream DNS server. Is it not enough to list there the IP's which the server is using?

    Just to be sure, the whole thing is, to protect your nameservers, that others are not able to use them. it's just for the own server, right?

    Michael
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
  6. shashank

    shashank Well-Known Member
    PartnerNOC

    Joined:
    Apr 12, 2003
    Messages:
    159
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I tried this on two servers before writing the script. One of the server was not able to resolve any domains until I included the resolv.conf ips in the list of allow-recursions that is why I added those IPs. I am not sure why but I will try to find out when I get a chance.
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That's because you have to list the IP that do need to do recursion lookups, or that will request transfer requests (e.g. slave DNS servers if used). Presumably those IP's that you have put in resolv.conf are local to the server.
     
  8. Snowman30

    Snowman30 Well-Known Member
    PartnerNOC

    Joined:
    Apr 7, 2002
    Messages:
    681
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    Jonathon i edited named.conf as you suggested in another post

    Code:
    //acl "trusted" {
            11.22.33.44;
            44.33.22.11;
            66.55.44.33;
    };
    
    options {
    	directory "/var/named";
    	dump-file "/var/named/data/cache_dump.db";
            statistics-file "/var/named/data/named_stats.txt";
    	/*
    	 * If there is a firewall between you and nameservers you want
    	 * to talk to, you might need to uncomment the query-source
    	 * directive below.  Previous versions of BIND always asked
    	 * questions using port 53, but BIND 8.1 uses an unprivileged
    	 * port by default.
    	 */
    	 // query-source address * port 53;
            version "not currently available";
            allow-recursion { trusted; };
            allow-notify { trusted; };
            allow-transfer { trusted; };
    };
    which you mentioned worked fine...

    This closed up the open dns issue but Problem is now mail isnt being delivered to or from the server with unroutable domain errors

    I know im missing somethign really obvious here but what is it?
     
  9. manokiss

    manokiss Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    571
    Likes Received:
    0
    Trophy Points:
    16
    Wondering if you found a solution for this, also our Dc recommended add recursion no; but doing this exim is not resolving the domains.

    No make sense have the allow-recursion with some ip´s when the recursion default is yes by default, so in the options above is the same as have recursion yes;

    any idea?

    thanx!
     
  10. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Did you definitely list the IP's you use for DNS lookups of your own server in the ACL. Your lookup IP's are listed in /etc/resolv.conf and any of those that are on your own server need to be listed - as well as 127.0.0.1
     
  11. manokiss

    manokiss Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    571
    Likes Received:
    0
    Trophy Points:
    16
    hello chirpy, yes, i listed them, but once i add recursion no; in the options exim start failing with the unroutable domain error.

    thanx!
     
  12. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
  13. Ronny

    Ronny Well-Known Member

    Joined:
    Dec 27, 2002
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    It's recommmended to put your DC's outgoing resolvers in /etc/resolv.conf

    If you have that in there instead of your own IPs, recursion no; will work.
     
  14. Bdzzld

    Bdzzld Well-Known Member

    Joined:
    Apr 3, 2004
    Messages:
    356
    Likes Received:
    1
    Trophy Points:
    18
    Hi,

    I've successfully made all changes to the named.conf file and DNSreport reports there no Open DNS servers. I was wondering which IP-addresses should be in the :

    Code:
    acl "trusted" { ... };
    
    part. Let's say I've a DNS cluster setup with the following IP-addresses :

    [server 1 ]
    main IP = 1.1.1.2
    DNS1 = 1.1.1.3
    DNS2 = 1.1.1.4
    add. IP = 1.1.1.5

    [server 2 ]
    main IP = 2.2.2.1
    DNS3 = 2.2.2.2
    add. IP = 2.2.2.3
    add. IP = 2.2.2.4

    Question : Which IP-addresses should be used on server 1, server 2 or on both servers ?

    Thanks.
     
    #14 Bdzzld, Mar 10, 2006
    Last edited: Mar 11, 2006
  15. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Probably overkill, since you're blocking everything but your own servers IP's.
     
  16. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    IF you had an old master/slave DNS setup you would need to have the main IP addresses for each server listed in both. However, DNS clustering doesn't use the traditional master/slave setup (they're all masters) so you only need 127.0.0.1, plus any IP addresses listed in that local servers /etc/resolv.conf that resides on that same server.
     
  17. DigiCrime

    DigiCrime Well-Known Member

    Joined:
    Nov 27, 2002
    Messages:
    399
    Likes Received:
    0
    Trophy Points:
    16
    My question is why is this popping up all of a sudden ? Whats changed in the past few weeks ??
     
  18. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
  19. DigiCrime

    DigiCrime Well-Known Member

    Joined:
    Nov 27, 2002
    Messages:
    399
    Likes Received:
    0
    Trophy Points:
    16
    Interesting.... I got a message from TPlanet about doing something about this, I didnt see anything on Cpanel forums about it so it must be rather new yet. I never thought to look over here after I made the changes, or even investigate but now that im seeing it on majority of other systems, kinda curious why all of a sudden :confused:
     
  20. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I just wanted to add to me assertion above that you might have to list all IP's that you use as nameservers as well has resolvers in the trusted ACL.
     
Loading...

Share This Page