Dns Errors

Don't worry about warnings.

There have been a lot of recent posts about converting your server to use only a non-cacheing (non-recursive) instance of BIND on your server.

If one of your nameservers isn't running, that's something you'll have to figure out and fix.

Jeff
 
You could set up BIND to only do recursive lookups for YOUR own ip's, then it would not be an open DNS server to the internet, but would still cache entries looked up locally.

That's how I set up all my DNS boxes and it works great.
 
My setups are similar to the following:

Add the following to the top of your named.conf:

Code: 
# Setup an access list for your slave servers:
acl "slaves" {123.123.123.2; 123.123.123.3; };

# Setup an access list for YOUR ip's that you want to provide recursion to
acl "myips" {
        123.123.123.1/25; 123.100.100.86/29; 127.0.0.1;
};

Then add the following to your options section of named.conf

Code: 
options {
        allow-recursion { "myips"; };
        version "Not available (refused).";

The "Version" line above will hide the DNS version you are using and return "Not available (refused)." instead.

After reloading BIND, DNSSTUFF should no longer show your DNS servers as open, yet Exim, or any scripts running on your server that need to do DNS lookups can take full advantage of the caching.

-Non-DA info below-
I usually then add an entry for each zone file (on my non-DA DNS servers) that limits the zone transfers to only the slaves defined in the acl that was setup in named.conf.
Something like:

Code: 
zone "testdomain.com" in {
        type master;
        file "testdomain.com.zone";
        allow-transfer {"slaves"; };
};
 
Last edited:
You must log in or register to reply here.
Back
Top