The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Open DNS servers

Discussion in 'Bind / DNS / Nameserver Issues' started by vlee, Apr 29, 2006.

  1. vlee

    vlee Well-Known Member

    Joined:
    Oct 13, 2005
    Messages:
    272
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Las Vegas, Nevada, United Stat
    cPanel Access Level:
    Root Administrator
    This taken from http://www.dnsreport.com

    ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are:

    Server 123.456.789.1 reports that it will do recursive lookups. [test]
    Server 123.456.789.2 reports that it will do recursive lookups. [test]


    See this page for info on closing open DNS servers.

    For cPanel is this an issue that I as a customer need to be concerned with?

    If so, I would like to know hown to close this issue because I all read on the internet is that is one main issues for those DDoS Attacks on the servers and having a DNS server that allows recursion for the Internet is like running an open SMTP relay.

    I would like to know every one views on this issue.
     
  2. pravin

    pravin Member

    Joined:
    Jun 8, 2005
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    The open dns issue can be resolved by editing /etc/named.conf on the server & by adding "recursion no;" to this file.


    include "/etc/rndc.key";

    controls {
    inet 127.0.0.1 allow { localhost; } keys { "rndckey"; };
    };

    //
    // named.conf for Red Hat caching-nameserver
    //

    options {
    directory "/var/named";
    dump-file "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    /*
    * If there is a firewall between you and nameservers you want
    * to talk to, you might need to uncomment the query-source
    * directive below. Previous versions of BIND always asked
    * questions using port 53, but BIND 8.1 uses an unprivileged
    * port by default.
    */
    // query-source address * port 53;
    recursion no;
    };


    Thankyou,
    Pravin
     
  3. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    There's another thread just hashed over recently that also explained how to set a white and black list for recursion and resolution altogether. Do a search here and it should be fairly recent. :)
     
  4. vlee

    vlee Well-Known Member

    Joined:
    Oct 13, 2005
    Messages:
    272
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Las Vegas, Nevada, United Stat
    cPanel Access Level:
    Root Administrator
    Thank you for your help pravin.

    That worked and it is now closed.
     
  5. djblamire

    djblamire Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    16
    Unfortunately after adding recursion no; the server is no longer able to access the cpanel.net site for updates :(

    I've had to take that option back off.

    Daniel
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Not surprising. You should not set recurson to no without first understanding what this does. Most people should allow recursion for their local IP addresses.

    Search the forums and you'll find a thread where this has been discussed at length, together with small scripts that provide the information you need to modify named.conf
     
  7. linkedla

    linkedla Member

    Joined:
    Aug 16, 2006
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Colombia!
    cPanel Access Level:
    Reseller Owner
    Open DNS

    Hello, I am really new to all this stuff, i have spent a few hours looking for the way to "close" my DNS who report the same like the first guy report in this thread, so may you can (please) provide a link on how to do this "closing" i can not find nothing yet on how to do it form the WHM panel.
    About me: I am a graphic designer who want to offer my clients a package of internet presence site, domain and hosting, now i am having this problem and do not want to make someting fool in the server due to my lack of programming skills, this is why i am doing this question.
    Please understand and help. Thank you very much.
     
  8. skyhorse

    skyhorse Active Member

    Joined:
    Aug 18, 2004
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    You know what most answers are going to be: get a sys admin for your server or get a fully managed solution. You wouldn't like to have your company's logo and posters designed by a linux administrator would you? Now, Chirpy is right, there's loads of threads about this subject but it all comes down to making those two lists and putting them on the named.conf.
    Have a look a this page as well: Fixing open DNS servers

    Remember to ALWAYS backup your named.conf before any changes, you might need to restore it...
     
  9. linkedla

    linkedla Member

    Joined:
    Aug 16, 2006
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Colombia!
    cPanel Access Level:
    Reseller Owner
    It is Ok, and may you are right, but here it is very expensive, or there are not qualified people to do the job the right way, so i was thinking there are nothing bad in ask if there is a tool to do the job. :rolleyes:
    I really appreciate your answer the link you post seems seems to be very usefull, i just start reading it, I will see if I am capable to do it following the guide. :)
    Thank you very much.
     
  10. angelina_holy

    angelina_holy Well-Known Member

    Joined:
    Aug 6, 2006
    Messages:
    113
    Likes Received:
    0
    Trophy Points:
    16
    Open DNS Servers

    nano -w /etc/named.conf
    Before the line that says “directory /var/named”; (it could be /var, /var/named, etc)

    Put:

    recursion no;

    Save.

    Make sure you can ping your account and google.com afterwards.
     
  11. skyhorse

    skyhorse Active Member

    Joined:
    Aug 18, 2004
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    Do not follow the previous instruction from angelina unless you are really sure what you're doing. It will most probably break your ability to do DNS queries and the consequences are pretty ugly... there's no reason to simply disallow recursion, you should setup white lists for allowed IP addresses... check the guide in the previous post...

    sky
     
  12. angelina_holy

    angelina_holy Well-Known Member

    Joined:
    Aug 6, 2006
    Messages:
    113
    Likes Received:
    0
    Trophy Points:
    16
Loading...

Share This Page