Securing and standardize DNS server Open DNS servers By default DNS Server is opened. "Open DNS servers increase the chances that of cache poisoning, can degrade performance of your DNS, and can cause your DNS servers to be used in an attack (so it is good that your DNS servers do not appear to be open DNS servers)." http://www.dnsreport.com/ So we have to edit "/root/ispconfig/isp/conf/named.conf.master" and add in options section : Code: allow-recursion { localhost; }; Before : Code: options { pid-file "/var/run/bind/run/named.pid"; directory "{BINDDIR}"; auth-nxdomain no; /* * If there is a firewall between you and nameservers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked * questions using port 53, but BIND 8.1 uses an unprivileged * port by default. */ // query-source address * port 53; }; and after : Code: options { pid-file "/var/run/bind/run/named.pid"; directory "{BINDDIR}"; auth-nxdomain no; allow-recursion { localhost; }; /* * If there is a firewall between you and nameservers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked * questions using port 53, but BIND 8.1 uses an unprivileged * port by default. */ // query-source address * port 53; }; then do a : Code: cp /root/ispconfig/isp/conf/named.conf.master /root/ispconfig/isp/conf/customized_templates/ I'm working on others DNS server issues, i'll put them here when i'll solve them.
It's (maybe) better to use Code: allow-recursion { localhost; }; This way the server itself can still access it.
you are in the ispconfig section here, and your modification is not exactly applicable like this since ispconfig regenerate the named.conf file each time a domain name is added. in fact the template of named.conf need to be modified: /root/ispconfig/isp/conf/named.conf.master and the new named.conf.master copied to /root/ispconfig/isp/conf/customized_templates after the modification.
Some people like to share the DNS with other people (like me) You could add the IP's of the users to the "allow-recursion", but some of my users do not have static IP's. What you are asking (and your "fix") has been discussed on this forum allready several times.
No, we do not plan to change this. As edge mentined, this has beed discussed already several times in the forum. No, it does not mean that everybody can add his own dns entrys on your server. It just means that others may use your server to resolve names and not to add zones.
I have used this howto it work, test on dnsreport is ok.... thank, but when I modify something from ispconfig, on dns, for example add new website, the row with allow-recursion { localhost; }; it disappears, is possible remedy?
The howto is not complete as it did not add the patch to the master template. You will have to patch the file /root/ispconfig/isp/conf/named.conf.master too.
Re: Securing the DNS Server Hey Everyone, I have a question I just did all those steps mentioned yet when I do a dns report on my server it still is marked as OpenDNS, How do I restart the service for it to run properly? I have restarted ispconfig via /etc/init.d/ispconfig_server restart What else do I need to restart for this to take affect? Thanks,
You do not need to restart ISPconfig. All you need to do is make a small change to a DNS setting in ISPconfig ISPconfig will than regenerate the new DNS files. When done, undo the small change (if needed)
Why not provide an option in the DNS manager for disabling/enabling recusion ? I think thats a fair request.
