Recursion

ldjnetworks

Verified User
Joined
Apr 23, 2005
Messages
39
Hello,
Recently I've been made aware that certain DDOS attacks can be performed on a DNS server that has recursion enabled. Last night I added
recursion no;
to my named.conf. This was fine except when I went to send an email through the server I get an "unroutable address" error immediately. This is because exim can't look up the MX record of the email / domain in question. My question is, is there a way to protect myself from recursion DDOS attacks and still be able to send emails, etc .. without problems?
 
I'm surprised named even started. Did you add the recursion no; to the options section? It might be in named.conf or it might be an include from another file such as named.conf.options
 
Yes I added to the options section. I did a /etc/init.d/named restart and it reported "OK" so I assumed it restarted correctly.
 
You should be using a recursive (caching) nameserver for your server (see your /etc/resolv.conf file).

Your nameserver is no longer answering recursive requests since you added that line.

(That is the correct thing to do.)

Now you have to get a caching nameserver (hopefully local to you on the same network, for speed) at the top of your /etc/resolv.conf file, so exim and other processes will be able to get IP addresses.

If your upstream provider cannot provide you with at least one chaching nameserver you can google for ways to make your BIND copy a caching server for your main IP# and for localhost, and yet only authoritative for the rest of the world.

Jeff
 
Same problem

Hi,

I have the same problem.
Did you fix it? Can you give me the resolution, please?
 
checked

I follow all that steps.

I have "recursion no;" in options, create a allow-recursion with IP addresses 127.0.0.1 and machine eth0.

But I still receiving unroutable messages in exim logs. When I remove "recursion no" this problem stops.
 
Hello,

You can still stop outside recursion and still be able todo lookups from it locally. in the named.conf in the options section place this.

allow-recursion { 127.0.0.1; serverip; };

change serverip to your server ip.
 
Done!

hehehe, I solve the problem removing the recursion no and keep allow-recursion {};
 
That is correct. I suppose I should rewrite my How-To.

But after all, it does create a non-recursive nameserver, which is exactly what I wanted to do :) .

Jeff
 
I have only:

allow-recursion { 127.0.0.1; };

in named.conf options section.

I see no reason for putting another ip in there since recursive lookups are local.
 
gentlemen;

I do not use Direct Admin but i'm experiencing this same DNS issue where i'm getting so many 'lame server resolving' requests it's causing my server to crash 3 or 4 times per day.

I've tried a variety of methods to get rid of it including adding:

options {
recursion no;
};

to my named.conf file. That stopped the lame server requests but also stopped my email from working. So, I tried something other variations of it including some you've suggested in this thread that included the server IP, etc.

NONE of these has worked whereas it still halts the email process even though it stops the lame server requests.

I'm reaching the end of my hair and my rope as i've tried to resolve this and researched all kinds of Bind resources.

Any ideas on this?
 
simco,

Your options section should include a bunch of lines, including:

allow-recursion { 127.0.0.1; };

if you want to be able to put your local nameserver into your resolv/conf file.

and

recursion no;

if you don't want your server to be a caching nameserver to the world.

Me? I don't use my local nameserver for caching at all.

Here's a copy of my options section (note I do NOT use an allow-recursion section because I don't use my own nameserver for resoluiton in resolv.conf).
Code:
options {
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
         // query-source address * port 53;
        recursion no;
};
Jeff
 
Jeff:

First, thank you for the response. This has been a real challenge and some solid advice is needed so I don't keep experimenting and blow something up.

Ok. my biggest fear is in using 'recursion no' is that it also stops use of email coming in or out of the domains hosted on my server which is about 55.

I tried this setup:

options {
allow-recursion { 127.0.0.1; };
};

and it didn't work. It stops the queries but it also stopped the ability to view the domains on the server. No sites would pull up (404 errors). So, scrapped that one.

Then tried this:

options {allow-recursion {localhost, 69.93.229.184/29; };

That didn't work either.

I'm pretty much at a loss. There's just two things I really want to accomplish.

1) stop the queries
2) keep the email working

If there's other benefits to some other option lines then i'm all ears. But those are the two main items.
 
Back
Top