How To create a non-recursive nameserver

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,113
Location
California
By default most of us are running DirectAdmin on servers with BIND set up for use both as a caching nameserver (so the server can use it's own nameserver) and as an authoritative nameserver (so we can use it to resolve the domains we host).

Recently DNS Report began reporting the use of a recursive nameserver for authoritative reporting as a FAIL condition. Whether they should or not is highly controversial; most small nameservers on the 'net are used for both.

However they are, and anyone that ever uses DNS Report to look up a domain hosted by you and using your nameservers, will see a FAIL condition. Which will cost you in support time, credibility, and customers.

So many of us will want to start using different nameservers for recursion than we do for authoritative DNS reporting.

Here's how:

The following instructions are for those of us running CentOS, RHEL, or RHL; if you're running another OS you should do something similar.

Before you do anything else make sure you're not using your own nameserver to resolve lookups from your own server:

# cat /etc/resolv.conf

You'll see something like this:
nameserver 127.0.0.1
nameserver 12.34.56.78
nameserver 12.33.56.78
It's important that none of those IP#s are to your own server, as that server won't be usable as a caching nameserver once you make the change. If you're in a data center they should be able to give you the addresses of two nameservers you can use. Note from the above that if you've got that 127.0.01 line you must remove it; it's pointing to your local system. If you've got your own connection to the 'net you should be able to ask your ISP for the IP#s of two nameservers you can use. Make sure they're reliable; your server will be severely crippled if/when it can't reach them.

Once youv'e changed that file (you don't have to restart or reboot anything when changing the /etc/resolv.conf file) you can must sure you dont have the caching nameserver installed:

# rpm -qa | grep caching

If you get a response with a caching-nameserver version, you'll have to remove it.

But first, save two files so you can restore them later (use cp -p to preserve their ownership and permissions).

Those files are:

/etc/named.conf (or wherever it is on your server, if /etc/named.conf is a symbolic link)

/var/named/named.ca (or wherever it is on your server, if /var/named/named.ca is a symbolic link)

Then remove the caching-nameserver:

# rpm -e caching-nameserver

Then restore those two files you backed up, to the place where they were originally (also using cp -p.

When the caching nameserver is restored and the files restored, add this line to the bottom of the options section of /etc/named.conf (just above the first line with only }; on it.
Code:
recursion no;

Then restart your nameserver:

# service named restart

Once you've done that make sure your server can resolve DNS requests without using your newly set non-recursive nameserver:

# nslookup google.com

If you don't get an answer you've done something wrong and you'll have to remove that line you added to /etc/named.conf and restart your nameserver again so your server will work while you figured out what you've done wrong.
 
Is this wright?

Hi,
As I am completly newbe in this, i was looking at dns report and get this error, so i ask a friend that says just to do this:

open the file /etc/named.conf

where:

options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};


change to:

options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
recursion no;
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};


Is this wright?! The error was stoped :D ....

best regards,
winger.
 
Get rid of that dump-file line; you don't need a cache if you're not caching anything.

I don't know about the statistics-file line.

Jeff
 
jlasman said:

When the caching nameserver is restored and the files restored, add this line to the bottom of the options section of /etc/named.conf (just above the first line with only }; on it.
Code:
recursion no;

Then restart your nameserver:


Here is where I get lost. I remove the caching server with rpm -e, then do I install named? Or do i re-install the caching nameserver?
 
If you already had named and caching-nameserver installed, then uninstalling caching-nameserver didn't uninstall named.

But it did mess with the two files I mentioned, changing one, and removing the other.

So you shouldn't have to reinstall named but you should have to restore those files.

Jeff
 
*** Fixed ***
Sorry I was an idiot.

Many thanks in advance.
Stephen
 
Last edited:
What about doing something like this in the named.conf:

Code:
acl recurseallow { 127.0.0.1; };

options {
...
        allow-recursion { recurseallow; };
};

That would only allow recursive calls for the localhost only and still satisfies dnsreports.
 
If it works, use it :) . I'm not sure if it works on it's own or only with an ACL list of IP#s.

Jeff
 
It works with the ACL list of IP's. The acl syntax names a list and the allow-recursion uses the named acl list. It works for me :)
 
Code:
acl recurseallow { 127.0.0.1; };

options {
...
        allow-recursion { recurseallow; };
};

Of the three or four different options given here I tried this one first, mainly because it looks clean and easy to implement and it still allows caching for localhost.
It works!
Many thanks for this tip toml!
 
toml said:
What about doing something like this in the named.conf:

Code:
acl recurseallow { 127.0.0.1; };

options {
...
        allow-recursion { recurseallow; };
};

That would only allow recursive calls for the localhost only and still satisfies dnsreports.

Can you post your entire named.conf file - minus the zone list at the bottom please?
 
toml said:
What about doing something like this in the named.conf:

Code:
acl recurseallow { 127.0.0.1; };

options {
...
        allow-recursion { recurseallow; };
};

That would only allow recursive calls for the localhost only and still satisfies dnsreports.

Yes this works perfectly AND you can even add your home IP address if you have static IP and use your server as dns server for home and still keep a closed DNS server : I like this :p

acl recurseallow { 127.0.0.1; 80.28.3.123; };

Ed,
 
Ok... folks... I haven't posted here in a long time... BUT I am starting up a CentOS 4 box and am setting DA back up. I haven't done so in months... so, I assume some things have changed.

During my setup, I did encounter this exact issue when checking my DNS settings at DNSreport.com. From reading Jeff's and a few other comments, I assume this is a NEW anomaly with the way DA sets up? Just curious.

Also, I simply followed the link on "how to fix it" that is on the dnsreport.com results page and simply adding recursion no; to the named.conf file corrected the negative output in dnsreports.com... with that said, that was a simple fix but does it have the potential to cause me other issues? Again, I did a clean minimal install of CentOS 4 and then the DA install... not much else.
 
That should work fine. The change was not in DA, it was in how dnsreport.com reported DNS sucess/failure. The changes I posted about are only needed if you want to use your local DNS server and not allow recursive lookups to any other host.
 
Currently have it like this :
Code:
// Default named.conf generated by install of bind-9.2.4-2
options {
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        recursion no;
};
include "/etc/rndc.key";

And works perfectly no errors in dnsreport
rpm -qa | grep caching
Also wasn't installed in the first place.
 
Here is one with recursion allowed by only the localhost.
Code:
// Default named.conf generated by install of bind-9.2.4-2
acl recurseallow { 127.0.0.1; };
options {
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        query-source address ns1_ip_address port 53;
        notify yes;
        allow-transfer {slave_ip_1; slave_ip_2; slave_ip_3; slave_ip_4; };
        allow-recursion { recurseallow; };
};
// a caching only nameserver config
//
controls {
        inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
...
zone_files_and_definitions_below
 
toml,

While I prefer completely nonrecursive nameservers, your code should work fine.

Jeff
 
Nevermind....

When I add the "recursion no;" I can't restart named. When I use toml's method it fixes the issue, but I get a new error on my DNS report - [no glue provided]

Any suggestions?

--

Nevermind! - I didn't read the instructions properly the first time. I didn't put "recursion no;" within my options.
 
Last edited:
Back
Top