Open DNS Error(DNS Recursion )

[Shane Melson]

Now lets go to the more tricky security issues of bind and how to make bind in a cpanel environment safer.


you have to edit /etc/named.conf:

right after the line:
controls {
inet 127.0.0.1 allow { localhost; } keys { "rndckey"; };
};

you add this:

acl "trusted" {
127.0.01;69.33.122.133; 69.56.129.144
};

(these ip addresses should be all of your nameservers who will handle your domains including the local ones that run nameservers on them.

then further down you will see this:

options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;

and you want to add right in the next line this:

version "not currently available";
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };
};

This will make sure that the dns server does not give out a version number and that recursion, notify and zone transfers are only permitted between the ip addresses in the acl trusted (which we added earlier).

After this is done save the file and then restart bind from whm. If you see an error message then go into the named log file (/var/log) and see what line created a problem. Most likely you missed a space or tab or something.

This addresses pretty much all of my security concerns in bind and you will have a much better and safer time running it that way.