Check /etc/named.conf For Recursion Restrictions
Jun 23, 2007
I'm getting this warning from check server security option in csf :
--------
You have a local DNS server running but do not have any recursion restrictions set in /etc/named.conf. This is a security and performance risk and you should look at restricting recursive lookups to the local IP addresses only
--------
I saw named.conf but In fact I didn't understand what should I do
Can somebody tells me what should i do and what this warning trying to tell me?
View 2 Replies
ADVERTISEMENT
Mar 2, 2008
i have adidcated server any i get anew one
and my site is rock2host.com
on the domain name i make the ns1 - ns2-ns3-ns4 of ips of the new server
but the problem that to this time there is no any account on my server is working
as i have adns error but i do not what is the problem
i made that
DNS Functions
Adding an A entry for your hostname
Bind reloading on server using rndc zone: [rock2host.com] Error reloading bind on server: rndc: get config key list: not found
DNS Functions
Cleanup Nameserver Config File
Fatal! named.conf fails named-checkconf, please repair named.conf and try again
View 14 Replies
View Related
Apr 8, 2009
It started with this error:
Bind reloading on server01 using rndc zone: [ns1.mydomain.net]
Error reloading bind on server01: rndc: connect failed: 127.0.0.1#953: connection refused
so i did the obvious checked the csf firewall to see if port 953 was enabled and it was
so i took a look at rndc.conf
Code:
root@server01 [~]# nano /etc/rndc.conf
#start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "KLGSBmWZrev0I4fR4Tm4GXxdcYSTFzF23b1f9is1M=";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
#key "rndc-key" {
# algorithm hmac-md5;
# secret "KLGSBmWZrev0I4fR4Tm4GXxdcYSTFzF23b1f9is1M=";
#};
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
Then i took a look at named.conf
Code:
options {
/* make named use port 53 for the source of all queries, to allow
* firewalls to block all ports except 53:
*/
//query-source port 53;
/* We no longer enable this by default as the dns posion exploit
has forced many providers to open up their firewalls a bit */
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
pid-file "/var/run/named/named.pid";
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
/* memstatistics-file "data/named_mem_stats.txt"; */
};
logging {
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* named will try to write the 'named.run' file in the $directory (/var/named").
* By default, SELinux policy does not allow named to modify the /var/named" directory,
* so put the default debug log file in data/ :
*/
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
// All BIND 9 zones are in a "view", which allow different zones to be served
// to different types of client addresses, and for options to be set for groups
// of zones.
//
// By default, if named.conf contains no "view" clauses, all zones are in the
// "default" view, which matches all clients.
//
// If named.conf contains any "view" clause, then all zones MUST be in a view;
// so it is recommended to start off using views to avoid having to restructure
// your configuration files in the future.
view "localhost_resolver" {
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
* If all you want is a caching-only nameserver, then you need only define this view:
*/
match-clients { 127.0.0.0/24; };
match-destinations { localhost; };
recursion yes;
zone "." IN {
type hint;
file "/var/named/named.ca";
};
/* these are zones that contain definitions for all the localhost
* names and addresses, as recommended in RFC1912 - these names should
* ONLY be served to localhost clients:
*/
include "/var/named/named.rfc1912.zones";
};
View 5 Replies
View Related
May 31, 2008
i am running centos 5 with bind9 and there is no /etc/named.conf. All i could find is /etc/named.caching-nameserver.conf
i am planning to runs dns nameserver for my domain. where to do zone entries?
View 9 Replies
View Related
May 30, 2008
i have cpanel running on my dedicated server and i have accidentally deleted /etc/named.conf
how to recover it? will cpanel maintain backup or of some sort? i havent stopped bind so my sites are working till now.
View 9 Replies
View Related
Jun 21, 2007
last night i was looking for closing my Open DNS to close it ...
but it's seems that i keep playing in the file name
/etc/named.conf
i back up it before
but when i finish i didn't cp /named.conf
i type mv named.conf-back /etc/named.conf
and all my server now is down and the support sooo bad ...
they just told me some commands and it's didn't work
then they didn't respond on my ...
View 14 Replies
View Related
Oct 28, 2009
I'd like to add geodns to BIND, so I need to modify named.conf. All that I will put into is a include of an acl file (for different IP ranges), and add a new view for existed domain.
My VPS use cPanel. What is the best way to handle this, as named.conf can be modify by cPanel? I can modify the template in /scripts/rebuilddnsconfig, but I don't know how to add a new view.
There's only one site in my VPS. But I use a few subdomains in DNS (legacy issues). Only one db file in /var/named/
View 2 Replies
View Related
Aug 11, 2008
I have the following problem:
When i try to restart the nameserver service i get the following error:
# service named restart
Stopping named: [ OK ]
Starting named:
Error in named configuration:
/etc/named.conf:87: unknown option 'e'
/etc/named.conf:120: unexpected end of input
[FAILED]
my named.conf as follows:
include "/etc/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};
options {
/* make named use port 53 for the source of all queries, to allow
* firewalls to block all ports except 53:
*/
query-source port 53;
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
/* memstatistics-file "data/named_mem_stats.txt"; */
};
logging {
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* named will try to write the 'named.run' file in the $directory (/var/named).
* By default, SELinux policy does not allow named to modify the /var/named directory,
* so put the default debug log file in data/ :
*/
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
// All BIND 9 zones are in a "view", which allow different zones to be served
// to different types of client addresses, and for options to be set for groups
// of zones.
//
// By default, if named.conf contains no "view" clauses, all zones are in the
// "default" view, which matches all clients.
//
// If named.conf contains any "view" clause, then all zones MUST be in a view;
// so it is recommended to start off using views to avoid having to restructure
// your configuration files in the future.
view "localhost_resolver" {
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
* If all you want is a caching-only nameserver, then you need only define this view:
*/
match-clients { 127.0.0.0/24; };
match-destinations { localhost; };
recursion yes;
zone "." IN {
type hint;
file "/var/named/named.ca";
};
// include "/var/named/named.rfc1912.zones";
// you should not serve your rfc1912 names to non-localhost clients.
// These are your "authoritativ
zone "smpl.splinteredmedia.net" {
type master;
file "/var/named/smpl.splinteredmedia.net.db";
};
e" internal zones, and would probably
// also be included in the "localhost_resolver" view above :
};
view "external" {
/* This view will contain zones you want to serve only to "external" clients
* that have addresses that are not on your directly attached LAN interface subnets:
*/
recursion no;
// you'd probably want to deny recursion to external clients, so you don't
// end up providing free DNS service to all takers
// all views must contain the root hints zone:
zone "." IN {
type hint;
file "/var/named/named.ca";
};
// These are your "authoritative" external zones, and would probably
// contain entries for just your web and mail servers:
// BEGIN external zone entries
};
z
zone "smpl.splinteredmedia.net" {
type master;
file "/var/named/smpl.splinteredmedia.net.db";
};
I have cPanel installed on a CentOS 5.1 VPS
View 11 Replies
View Related
Dec 5, 2008
none:0: open: /etc/named.conf: file not found
i had install cpanel on Cent Os 5 on a VPS
Cpanel Correctly Running but named does not working !
i try to restart named but it say :
root@server [/etc]# service named restart
Stopping named: [ OK ]
Starting named:
Error in named configuration:
none:0: open: /etc/named.conf: file not found
[FAILED]
View 5 Replies
View Related
Dec 19, 2008
After Cpanel update latest release version. I have issue with named.conf.
I tried to rebuild named. but..
/scripts/rebuilddnsconfig
fixrndc requires a syntactically correct /etc/named.conf.
No changes were made to /etc/named.conf.
Problem was:
/etc/named.conf:23: when using 'view' statements, all zones must be in views
Anyone can explain me about "/etc/named.conf:23: when using 'view' statements, all zones must be in views"?
View 11 Replies
View Related
Oct 26, 2009
After upcp suddently named failed and only works when I use /scripts/ulimitnamed
But now the server feel so slow because of became named-wrapper -u
How to revert back from named-wrapper -u named to /usr/sbin/named -u named?
View 0 Replies
View Related
Nov 25, 2008
I see some errors about lame servers in messages log,and i noticed that look like adress of isp surfer domain beacuse i noticed domain of my isp listed also as lame name server.Here is example:
Nov 24 03:46:55 available9 named[7562]: lame server resolving '247.100.51.72.in-addr.arpa' (in '100.51.72.in-addr.arpa'?): 205.214.192.202#53
Nov 24 03:46:55 available9 named[7562]: lame server resolving '247.100.51.72.in-addr.arpa' (in '100.51.72.in-addr.arpa'?): 205.214.192.201#53
Nov 24 03:46:56 available9 named[7562]: lame server resolving '247.100.51.72.in-addr.arpa' (in '100.51.72.in-addr.arpa'?): 205.214.192.202#53
Nov 24 03:46:56 available9 named[7562]: lame server resolving '247.100.51.72.in-addr.arpa' (in '100.51.72.in-addr.arpa'?): 205.214.192.201#53
Nov 24 07:19:51 available9 named[7562]: FORMERR resolving 'ducksimilar.com/NS/IN': 203.93.208.87#53
Nov 24 07:19:51 available9 named[7562]: FORMERR resolving 'ducksimilar.com/NS/IN': 91.208.228.150#53
Nov 24 07:19:52 available9 named[7562]: FORMERR resolving 'host1.experienceexcept.com/AAAA/IN': 203.93.208.87#53
Nov 24 07:19:52 available9 named[7562]: FORMERR resolving 'host2.experienceexcept.com/AAAA/IN': 203.93.208.87#53
Nov 24 07:19:52 available9 named[7562]: FORMERR resolving 'host1.experienceexcept.com/AAAA/IN': 91.208.228.150#53
Nov 24 07:19:52 available9 named[7562]: FORMERR resolving 'host2.experienceexcept.com/AAAA/IN': 91.208.228.150#53
Nov 24 07:19:52 available9 named[7562]: FORMERR resolving 'host1.experienceexcept.com/AAAA/IN': 203.93.208.87#53
Nov 24 07:19:52 available9 named[7562]: FORMERR resolving 'host2.experienceexcept.com/AAAA/IN': 203.93.208.87#53
Nov 24 07:19:52 available9 named[7562]: FORMERR resolving 'host1.experienceexcept.com/AAAA/IN': 91.208.228.150#53
Nov 24 07:19:52 available9 named[7562]: FORMERR resolving 'host2.experienceexcept.com/AAAA/IN': 91.208.228.150#53
View 1 Replies
View Related
Jul 5, 2009
i have this error on my log.
what is this.
72 Time(s): BUG: recent printk recursion!
2 Time(s): Firewall: *TCP_IN Blocked* IN=venet0 OUT= <2>BUG: recent printk recursion!
View 9 Replies
View Related
Aug 29, 2013
I have a number of WordPress, Drupal, Wiki sites running under RHEL6.
Apache version:httpd -v
Server version: Apache/2.2.15 (Unix)
Server built: Aug 2 2013 08:02:18
We are subject to internal scans by Appscan and Tenable. It is a security requirement so I cannot just block them.
The scanners, of course, attempt to recurse the directory structure and find vulnerable files such as boot.ini, winnt.com and such.
This drives the php content management systems nuts.
Request comes in and is handled by php.
PHP checks the cache for that name and does not find it.
PHP generates a MySQL query and sends it.
MySQL tries and fails to satisfy the query.
MySQL returns result to php.
PHP Writes a cached of the result and presents it to the web.
In other words, a whole lot of processor/memory.
The security scans typically look like......
[Thu Aug 29 00:35:15 2013] [error] [client XXX.XXX.XXX.XXX] Invalid URI in request GET /../../../../../../../../../../../../etc/passwd HTTP/1.1
[Thu Aug 29 00:35:15 2013] [error] [client XXX.XXX.XXX.XXX] Invalid URI in request GET ../../../../../../../../../../../../etc/passwd HTTP/1.1
[Thu Aug 29 00:35:15 2013] [error] [client XXX.XXX.XXX.XXX] Invalid URI in request GET //../../../../../../../../../../../../etc/passwd HTTP/1.1
[Thu Aug 29 00:32:26 2013] [error] [client XXX.XXX.XXX.XXX] Invalid URI in request GET ....................windowswin.ini HTTP/1.1
[Thu Aug 29 00:32:26 2013] [error] [client XXX.XXX.XXX.XXX] Invalid URI in request GET ....................winntwin.ini HTTP/1.1
I have been able to improve performance, speed and security by mod_rewrite
RewriteRule .*.(dll|ini|exe|com)$ - [R=404,NC]
Now (Finally) the question.
I have not been able to create a rule for the directory recursion.
I want to R=404 any that has a "../.." or "...." or ...." but I can not get it to recognize the string correctly.
I believe that this would improve speed and security.
View 2 Replies
View Related
May 21, 2009
Having been away from the hosting field for a few years returning back I notice some hosts are offering IPs with, for instance, personal basic plans. Some are even offering 15 IPs to anyone. And 350GB disk space and 1TB data transfor for $3.95, but that is another question. I wonder how they get butter on the bread with these prices.
As for IPs how do these companies get their IPs? Are there no more Icann restrictions?
View 14 Replies
View Related
Mar 17, 2008
any restrictions on owning a .co.uk domain if one lives in the usa or should i have my uk friend register it?
View 6 Replies
View Related
Apr 21, 2009
Is there any hosting providers without file number limits? Or higher limits...
I've been using dreamhost, but found that they have a 500k file number limits. So now i'm using less than 2 gigs of disk and still have 370+ worthless free gigs of disk space
View 14 Replies
View Related
Sep 11, 2008
im using old htm pages work with php which works on localhost, but upon upload to yahoo server i need to upload a revised .htaccess which yahoo restricts
how can i read my htm pages in yahoo to work or read php in it?
other options that will work in yahoo?
View 4 Replies
View Related
Apr 6, 2007
getting a dedicated server and wanted to know what the differences are between Windows 2003 Web and Standard editions?
to run some activeX DLL's I have compiled on one of my websites that will be hosted on the dedicated server - can I do this on the web edition?
View 7 Replies
View Related
Oct 4, 2008
can anyone direct me to a host that allows me to run an IRCd with IRC bots and bouncers?
The webspace should be 5 gigs or over and the bandwidth should be 20gigs/m or over. Free management (like offered on web intellects) would be great aswell.
I have a 40-50$/m budget.
View 3 Replies
View Related
Oct 18, 2013
I'm migrating from Plesk 9.5 to 11 and I'm getting the following on my Transfer Pre-Check from within the Migration Manager."The destination DNS server does not support networks in the Transfer Restrictions Template, but some subscriptions have networks in DNS transfer restrictions. The records with network IP addresses in the DNS transfer restrictions will not be restored."
I've gone to Server, DNS Settings, Transfer Restriction Template and added the new server's IP to the list of allowed networks to no avail. I also couldn't find any documentation on what the cause might be.
View 1 Replies
View Related
Jul 1, 2009
I would like to know how to check load via ssh and check files causing load?
I want the ssh codes for 2 different set of control panels, one with cpanel+whm and other with kloxo+hypervm
and I would also know how to check the files causing the load, such as some files could have been interrupted while processing, so they could be causing load some times, so I want to stop such processes if any are running on the vps on my friends accounts
View 5 Replies
View Related
Oct 12, 2009
It has been a long time since I setup named, and I need some help as I'm just not getting it this time around. I'm running named on CentOS under Chroot
IP Space is; 216.201.80.96/28
Gateway is 216.201.80.97
Netmask is 255.255.255.240
Useable IP Space is 216.201.80.100 - 110
named.conf
---
key "rndckey" {
algorithm hmac-md5;
// secret is xx'ed out for this posting
secret "xxxxxxxxxxxxxx";
};
controls {
inet 127.0.0.1 allow { 127.0.0.1; } keys { "rndckey"; };
inet 216.201.80.101 allow { 216.201.80.101; } keys { "rndckey"; };
};
options {
directory "/var/named";
pid-file "/var/run/named/named.pid";
recursion yes;
allow-recursion {
127.0.0.1;
216.201.80.101;
};
listen-on {
127.0.0.1;
216.201.80.101;
};
query-source address * port 53;
version "REFUSED";
allow-query {
127.0.0.1;
216.201.80.101;
};
};
server 216.201.80.101 {
keys { rndckey; };
};
zone "." IN {
type hint;
file "named.ca";
};
zone "cheapdatamining.com" IN {
type master;
file "data/cheapdatamining.com.zone";
allow-update { none; };
};
cheapdatamining.com.zone
--------------------------
$TTL 38400
@ IN SOA ns1.cheapdatamining.com. admin.cheapdatamining.com (
2008090335 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL 1 day
cheapdatamining.com.INNS ns1.cheapdatamining.com.
cheapdatamining.com.INNSns2.cheapdatamining.com.
ns1.cheapdatamining.com.IN A 216.201.80.101
ns2.cheapdatamining.com. IN A 216.201.80.102
resolv.conf on server.
--------------
search cheapdatamining.com
nameserver 216.201.80.101
nameserver 216.201.80.102
Got the domain sitting at godaddy with ns1 and ns2 pointing to 216.201.80.101/102
Everything looks good as far as I can see, local nslookup on the loopback is fine, and iptables are good.
View 0 Replies
View Related
Jun 27, 2009
Is this the correct setup?
DNS Server 1:
allow-transfer { 127.0.0.1; Server2; };
allow-recursion { 127.0.0.1; Server2; };
recursion no;
DNS Server 2:
allow-transfer { 127.0.0.1; Server1; };
allow-recursion { 127.0.0.1; Server1; };
recursion no;
BOTH hosts file:
order bind,hosts
nospoof on
spoofalert on
multi on
View 2 Replies
View Related
Jun 10, 2008
I keep getting this error when trying to start named, bind 9.3.3 installed through yum (centos 5 x64).
# service named restart
Stopping named: [FAILED]
Starting named: named: already running [FAILED]
# ls /var/run/named
#
# ls /var/lock/subsys | grep named
#
I even uninstalled bind, restarted the system, and reinstalled and it is still giving me the same error.
There aren't any related errors in dmesg/messages and I couldn't find a named related file in /var/log.
View 4 Replies
View Related
Oct 24, 2008
I Got The Installed vMware on My Dedicated Server For Create VPS Server
Anyway i Got The Installed a VPS server With centos 5
Then Got The installed cPanel On VPS
Afterward Take Set IP n NS On Name Server's IP Section Of cPanel
Then Got The Set Ns n Ip's On My Domain Panel
My NS's can Be Ping But My Domain Can Not Be Ping
So Can't be Connect to cPanel
Also I Take More eMail notification About
1- Named yourdomain.com Failed
2- Native SSL yourdomain.com Failed
3- IP Check Problems With DNS Setup on yourdomain.com failed
I THink named got the Damage
but i can't repair It
View 7 Replies
View Related
Jun 6, 2008
since this morning, I am unable to start named/bind.
_could_ it be a hardware problem or it has to be software-related?
View 2 Replies
View Related