I have an older ISPConfig 3.2.5 standalone server (that can't be updated due to CentOS limitations - working on replacing that!) and an up-to-date 3.2.8p2 server, newer CentOS 8. I was seeing a lot of these errors in the message log file on the newer server: Code: Oct 30 03:11:02 dns2 named[1384]: client @0x7f4d100a0620 172.253.206.37#47723 (somedomain.net): query (cache) 'somedomain.net/A/IN' denied from various IPs, but not on the older server, and I realized they had slightly different named.conf files: old server: Code: ... allow-query { any; }; allow-recursion { "none"; }; recursion yes; ... new server: Code: ... allow-query { any; }; // allow-recursion { "none"; }; recursion no; ... I don't recall ever manually modifying either named.conf files, so I'm assuming these are ISPConfig configured. Could someone enlighten me on which is best/preferred/correct? My digging would indicated that the "yes" should be "no", and that maybe a "trusted" section should be added to allow the different ISPConfig servers to ask each other. My reading also indicated that in general, the above error messages were because recursion was disabled, and therefore to be expected, and that they could/should just be hidden/ignored by adding: Code: category security { null; }; under the logging section of named.conf. I've done that, but that doesn't leave me with warm fuzzies either. I currently also have some customers that are having connection issues using POP3, with timeout issues connecting to the server. Part of me thinks my playing with the named.conf files may be partly to blame, but I also replaced a router at the same time, so that could have a config/firmware issue as well (unproven router model for me). Also, how are "allow-recursion" and "recursion" different - seems like they're saying the same thing. Here's my current named.conf from the newer server - let me know if you see something amuck (thanks!): Code: // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { any; }; listen-on-v6 port 53 { any; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; // allow-recursion { "none"; }; recursion no; }; logging { category security { null; }; channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.conf.local";
