Open DNS

[webhosting2]

ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are:

How do I close off recursive access through WHM or SSH?

 

[chris74108]

Removed see skys reply

 

[gupi]

Also you can take a look at the tutorial from cymru.com.

 

[skyhorse]

I would be weary to follow chris's instructions, it would break a lot servers by only allowing recursion from those IP addresses.

There's a lot about this topic, I've made a small page with a solution compiled from different sources:

http://www.skyhorse.org/web-server-administration/the-definite-guide-of-obscure-tweaks-to-install-and-maintain-cpanel-whm-version-10/fixing-open-dns-servers/

Remember to ALWAYS backup your named.conf before any changes...

 

[angelina_holy]

nano -w /etc/named.conf
Before the line that says “directory /var/named”; (it could be /var, /var/named, etc)

Put:

recursion no;

Save.

Make sure you can ping your account and google.com afterwards.

 

[skyhorse]

again, angelina's instructions just like chris's could work in some cases but are not the proper way to do it. White lists for allowed IP addresses is the way to go, check out the two links in the previous posts...

 

[jayh38]

recursion no is definately not the way to go as Skyhorse mentioned.
Also, here is a nice thread and script that will help you with the
allow list for your service.

http://forums.cpanel.net/showthread.php?t=50473

 

[angelina_holy]

recursion no worked in my case , but like skyhorse said if in some cases if there is possibility that it might break the servers , then its best to go with skyhorse solution to White lists the allowed IP addresses

The link provided by skyhorse

http://www.skyhorse.org/web-server-...panel-whm-version-10/fixing-open-dns-servers/

is good one for new users facings open dns problem

Thanks skyhorse . Guess I was lucky that my server didnt broke .

 

[Manuel_accu]

Hi,

I think below mentioned URL will guide you for the same.

http://forums.linuxwebadmin.info/index.php/topic,49.0.html

as well as you could also check the DNS server related command to check yoru DNS:

http://forums.linuxwebadmin.info/index.php/topic,30.0.html

 

[hamper]

recursion no is definately not the way to go as Skyhorse mentioned.
Also, here is a nice thread and script that will help you with the
allow list for your service.

http://forums.cpanel.net/showthread.php?t=50473

I agree. I made the mistake of doing this now at least twice a day I have to go in
and redo the named.conf file and restart manually named. Does anyone know how
to get it to stop going back to the "recursion no" in named.conf and keep the acl
info I have to keep changing it back to?

Thanks for any help.

 

[levelsupport]

TO Disable recursive nameservers
open your /etc/named.conf

make sure you have this line

options {
directory "/var/named";
allow-recursion { 127.0.0.1; <yourserverip1>; <yourserverip2>;};
};

 

[dyrer]

I did as you said but dnsreport.com display open dns

 

[Manuel_accu]

Could you please provide us your named.conf to know what canges you have made.

 

[noimad1]

I have a question about this.

Would I need to add every IP address in my server cluster?