I would have posted this in the Developers forum, but I don't have the ability to post there. I have opened a bug report in the tracker for disabling BIND recursion (so your DNS servers won't advertise themselves as being Open). http://sourceforge.net/tracker/index.php?func=detail&aid=1693159&group_id=140327&atid=746125
Add the following to the /root/ispconfig/isp/conf/named.conf.master You will need to add it WITHIN the options { } part Code: allow-recursion { localhost; }; The end result should look like this Code: options { pid-file "/var/run/bind/run/named.pid"; directory "{BINDDIR}"; auth-nxdomain no; allow-recursion { localhost; }; }; After doing this, make a small change to a DNS within ISPconfig to make it read the new settings.
My concern is that this poor default setup for BIND leaving ISPConfig managed servers more open to Cache Poisoning. Hence why I filed a bug. Most admins wouldn't notice this problem until they get attacked.
Problem is that it's not really a bug! Some admins like to have it open so other users can use the DNS.
Understood. Just thinking it should be an option in ISPConfig Server Settings under DNS, and not a manual hack. Far easier and more secure that way. Thank you for the intelligent replies.. Too bad I couldn't get an answer to my other post (http://www.howtoforge.com/forums/showthread.php?t=11829). It concerns getting some intelligible client information from the ISPConfig database. Thanks again!
True. It would be a nice "extra" option (I've also asked some time ago for this I believe) You will need to talk to some of the ISP developers about this. I'm sure that what you want can be done! Just give it some "more" time, someone will answer your question!
If I could understand how to hook the option choice into the DNS tab and get it into the database, I could do it myself. I've already figured out what function is responsible for named.conf being created. The german comments and function names don't really help sometimes
Dont ask me :-/ I'm a Coldfusion coder.. Way easier to work with a database (I did play a bit with PHP / MySQL, and must say that it's also nice)
I closed the bugreport at sourceforge and left a comment there. To allow recursion in ISPConfig is a default setting that we have chosen and we wont change it in the stable branch to not break the compatibility with older versions. If you dont like the default, please change it as edge mentioned above. Changes in the config templates are no hacks, they are a valid way to change the ISPConfig defaults. I agree that it would be a nice feature to allow enabling / disabling the recursion in the interface. To add a checkbox on the ISPConfig interface, you will ahve to use the form editor. The form editor creates also the database column for you automatically.
