Recursion no?

[Magistar]

On my latest vps the CSF firewall gave me a notice regarding "Check for DNS recursion restrictions". So I checked my other VPS and noticed an addition by my host to named.conf:

//added by cloudvps
recursion no;
additional-from-auth no;
additional-from-cache no;

Which explains why there are no DNS related warnings for that VPS.

Is there a downside to disabling this function? I also found this "fix". http://www.webhostingtalk.com/showthread.php?t=615056 . So I am unsure how to proceed here. Any thoughts?


ps
I am using vps1 and vps2 as n1 and ns2 with a multiserver directadmin setup.

 

[zEitEr]

Hello,

Usually hosting, master/slave DNS servers should have:

recursion no;

as well as

allow-transfer{none;};

or

allow-transfer{1.2.3.4;};

where 1.2.3.4 is a trusted IP of your slave NS.

 

[Magistar]

Thanks. I currently do not have the last option for my slave NS. Can this become problematic? So far it seems to be working.

 

[zEitEr]

allow-trnasfer option should be used to prevent Unauthorized Zone Transfers. You can check your NS servers here: http://hackertarget.com/zone-transfer/ or with dig:

dig axfr example.com @ns1.example.com
dig axfr example.com @ns2.example.com

 

[Magistar]

Hmm had the following results

; <<>> DiG 9.9.5-3ubuntu0.1-Ubuntu <<>> axfr @ns2.sedeko.eu gameplayinside.com
; (1 server found)
;; global options: +cmd
gameplayinside.com. 14400 IN SOA ns1.sedeko.eu. hostmaster.gameplayinside.com. 2015021800 14400 3600 1209600 86400
gameplayinside.com. 14400 IN MX 10 mail.gameplayinside.com.
gameplayinside.com. 14400 IN TXT "v=spf1 a mx ip4:85.222.228.61 ~all"
gameplayinside.com. 14400 IN A 85.222.228.61
gameplayinside.com. 14400 IN NS ns1.sedeko.eu.
gameplayinside.com. 14400 IN NS ns2.sedeko.eu.
cp.gameplayinside.com. 14400 IN A 85.222.228.61
factorio.gameplayinside.com. 14400 IN A 5.200.9.237
ftp.gameplayinside.com. 14400 IN A 85.222.228.61
localhost.gameplayinside.com. 14400 IN AAAA ::1
localhost.gameplayinside.com. 14400 IN A 127.0.0.1
mail.gameplayinside.com. 14400 IN A 85.222.228.61
pop.gameplayinside.com. 14400 IN A 85.222.228.61
smtp.gameplayinside.com. 14400 IN A 85.222.228.61
www.gameplayinside.com. 14400 IN A 85.222.228.61
gameplayinside.com. 14400 IN SOA ns1.sedeko.eu. hostmaster.gameplayinside.com. 2015021800 14400 3600 1209600 86400
;; Query time: 89 msec
;; SERVER: 84.22.103.9#53(84.22.103.9)
;; WHEN: Fri Feb 20 21:06:23 CST 2015
;; XFR size: 16 records (messages 1, bytes 443)



; <<>> DiG 9.9.5-3ubuntu0.1-Ubuntu <<>> axfr @ns1.sedeko.eu gameplayinside.com
; (1 server found)
;; global options: +cmd
gameplayinside.com. 14400 IN SOA ns1.sedeko.eu. hostmaster.gameplayinside.com. 2015021800 14400 3600 1209600 86400
gameplayinside.com. 14400 IN MX 10 mail.gameplayinside.com.
gameplayinside.com. 14400 IN TXT "v=spf1 a mx ip4:85.222.228.61 ~all"
gameplayinside.com. 14400 IN A 85.222.228.61
gameplayinside.com. 14400 IN NS ns1.sedeko.eu.
gameplayinside.com. 14400 IN NS ns2.sedeko.eu.
cp.gameplayinside.com. 14400 IN A 85.222.228.61
factorio.gameplayinside.com. 14400 IN A 5.200.9.237
ftp.gameplayinside.com. 14400 IN A 85.222.228.61
localhost.gameplayinside.com. 14400 IN AAAA ::1
localhost.gameplayinside.com. 14400 IN A 127.0.0.1
mail.gameplayinside.com. 14400 IN A 85.222.228.61
pop.gameplayinside.com. 14400 IN A 85.222.228.61
smtp.gameplayinside.com. 14400 IN A 85.222.228.61
www.gameplayinside.com. 14400 IN A 85.222.228.61
gameplayinside.com. 14400 IN SOA ns1.sedeko.eu. hostmaster.gameplayinside.com. 2015021800 14400 3600 1209600 86400
;; Query time: 86 msec
;; SERVER: 85.222.228.61#53(85.222.228.61)
;; WHEN: Fri Feb 20 21:06:23 CST 2015
;; XFR size: 16 records (messages 1, bytes 443)

As far as I can see I don't see anything "secret" in there. Regardless I will try and add the option to named (I am just worried to blow it up so my whole dns goes down ).