You have a local DNS server running but do not appear to have any recursion restricti

Anton

Verified User
Joined
Oct 6, 2010
Messages
102
Location
Iceland
You have a local DNS server running but do not appear to have any recursion restrictions set. This is a security and performance risk and you should look at restricting recursive lookups to the local IP addresses only

i get this when i run test security on csf

and i have found this

http://www.webhostingtalk.com/showthread.php?t=615056

Code:
include "/etc/namedb/rndc.key";

controls {
inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};

acl "trusted" {
127.0.0.1;
};

options {
pid-file "/var/run/named/named.pid";
directory "/etc/namedb";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
version "BIND";
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };
forwarders { 127.0.0.1; };
};

but i am not okey with just put this in and let that be :) so maby you fine people could help me and tell me what you have done to fix this problem

And also i have one other problem in csf

You should enable extended exim logging to enable easier tracking potential outgoing spam issues. Add:
log_selector = +arguments +subject +received_recipients
to /etc/exim.conf

i did and then it told me that i needed to exclute that from my file and if i do that then it says

Check exim weak SSL/TLS Ciphers (tls_require_ciphers)
is at warning state ?
but it is working as i write this so thats not an issue
 
About the recursion, I would just edit your own /etc/named.conf file and add this line:
allow-recursion { localnets; };

Somewhere in the

options {
container.

It might look like this then:
// generated by named-bootconf.pl

options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;

allow-transfer { none; };
allow-recursion { localnets; };
};
Don't forget to restart named.

For exim, edit your /etc/exim.conf and look under log_selector.
It should contain these settings:
log_selector = \
+arguments \
+subject \
+received_recipients \
+delivery_size \
+sender_on_delivery \
+received_sender \
+smtp_confirmation \
+smtp_incomplete_transaction \
Most are already present in your exim.conf, just add the ones that are missing.

After that, restart exim.

Mostly if you click on the notices CSF gives you, it will show you the solution how to fix it.
 
This may have been updated in a recent version:

When editing the file, you will see the following near the top of the file:

PHP:
/ recursion no;

I simply uncommented the line and changed it to yes as such:

PHP:
recursion yes;

This cleared the warning in csf .
 
You have to specify which one
No you don't.
Because allow-recursion and recursion are 2 different settings. ;)
The BIND configuration option recursion yes|no; controls whether or not clients are permitted to make recursive queries and the "allow-recursion" option controls which clients are permitted this privilege.
as stated here:
https://kb.isc.org/docs/aa-00817
You can use them togehter though. Mostly the allow-recursion is already present by default in named.conf.
 
I have same:
You have a local DNS server running but do not appear to have any recursion restrictions set. This is a security and performance risk and you should look at restricting recursive lookups to the local IP addresses only

In 2020 what i need to change?
 
For Directadmin yes, but be sure this is present:
Code:
allow-transfer {"none";};
nowadays on new installs, DA is putting this in one of the first lines.
However, if not present, add this for more security.

And you also can use this for additional security to hide the version of bind you're using:
Code:
version "my own text here";

Just to be sure I always also do:
Code:
//recursion yes;
which is probably not needed anymore, but just to be sure. :)
 
About the recursion, I would just edit your own /etc/named.conf file and add this line:


Somewhere in the


container.

It might look like this then:

Don't forget to restart named.

For exim, edit your /etc/exim.conf and look under log_selector.
It should contain these settings:

Most are already present in your exim.conf, just add the ones that are missing.

After that, restart exim.

Mostly if you click on the notices CSF gives you, it will show you the solution how to fix it.

I followed your advice. Entire DNS server go down.
 
I followed your advice. Entire DNS server go down.
Probably caused by using the setting on the wrong place or forgetting a semicolumn or something. Your DNS server should say -why- it's not starting.

Have a look at mine, maybe you can find your issue:

Code:
options {
        //listen-on port 53 { 127.0.0.1; };
        //listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        //allow-query     { localhost; };
        allow-recursion { localnets; };
        allow-transfer {"none";};
        version "My pretty dns server";
        minimal-responses yes;
        empty-zones-enable no;

        /* 
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable 
           recursion. 
         - If your recursive DNS server has a public IP address, you MUST enable access 
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification 
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface 
        */
        //recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

This is on a Centos 7 server. A lot of this is default.
 
Back
Top