How To Fix Open Nameservers

Toby|ABN · May 17th, 2007, 1:24 PM

For those of you who check your nameservers and other DNS related issues using the popular site dnsreport you're probably seeing Fail Open DNS Servers. Here I will show you have to fixed named to close open dns servers.

How do I check my system?
Go to www.dnsreport.com and enter your domain name, eg surpasshosting.com

You’re safe if you see:
PASS Open DNS servers

You need to follow this tutorial if you see:
FAIL Open DNS servers

Closing Open DNS Servers Tutorial

1) Login to your server and su to root.

2) Edit the /etc/named.conf file such as:# vi /etc/named.conf

Look for:
key "rndckey" {
};

After this add the following, replacing mainIP and secondaryIP with your systems nameservers.
acl "trusted" {
mainIP;secondaryIP;127.0.0.1;
};

3) After that’s done you want to add the section that says only the trusted is allowed for certain functions. Check your options area and make sure you add the following:
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };

So the final result looks something like:
options {
directory "/var/named";
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};

4) Save the changes and restart the named service: service named restart

5) Recheck your site at dnsreport.com All should now be fixed!

mgk · May 17th, 2007, 1:26 PM

Obviously as a shared or reseller customer that would need to be done by surpass rather than yourself

Toby|ABN · May 17th, 2007, 1:37 PM

that is why its in the "dedicated server" forum

mgk · May 17th, 2007, 1:43 PM

grin - I just read everything .... That aside. I wish surpass would do that on all servers anyhow

Toby|ABN · May 17th, 2007, 1:48 PM

It took about 5min to do on my server, 5*how many servers surpass have is probably quite a while actually... I'm not sure what the benefits are of closing them but one of my clients was making a big fuss about it so I had to get it sorted!

mgk · May 17th, 2007, 1:58 PM

not an urgent matter - but it just gives a good impression.

**Skipdawg** · May 18th, 2007, 1:12 PM

Quote:

Originally Posted by mgk

Obviously as a shared or reseller customer that would need to be done by surpass rather than yourself

Yea agree. Never have understood why that have their default set that way.

Toby|ABN · May 18th, 2007, 1:35 PM

It is rather weird that they do acutally, considering the fuss that some people make about it!

May 17th, 2007, 1:24 PM	#1 (permalink)
Toby\|ABN Registered User Seasoned Poster Joined in May 2007 Lives in Reading, UK Hosted on reheat.abndns.net (dedi) 32 posts Gave thanks: 1 Thanked 1 Time in 1 Post	How To Fix Open Nameservers For those of you who check your nameservers and other DNS related issues using the popular site dnsreport you're probably seeing Fail Open DNS Servers. Here I will show you have to fixed named to close open dns servers. How do I check my system? Go to www.dnsreport.com and enter your domain name, eg surpasshosting.com You’re safe if you see: PASS Open DNS servers You need to follow this tutorial if you see: FAIL Open DNS servers Closing Open DNS Servers Tutorial 1) Login to your server and su to root. 2) Edit the /etc/named.conf file such as:# vi /etc/named.conf Look for: key "rndckey" { }; After this add the following, replacing mainIP and secondaryIP with your systems nameservers. acl "trusted" { mainIP;secondaryIP;127.0.0.1; }; 3) After that’s done you want to add the section that says only the trusted is allowed for certain functions. Check your options area and make sure you add the following: allow-recursion { trusted; }; allow-notify { trusted; }; allow-transfer { trusted; }; So the final result looks something like: options { directory "/var/named"; allow-recursion { trusted; }; allow-notify { trusted; }; allow-transfer { trusted; }; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; /* * If there is a firewall between you and nameservers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked * questions using port 53, but BIND 8.1 uses an unprivileged * port by default. / // query-source address port 53; }; 4) Save the changes and restart the named service: service named restart 5) Recheck your site at dnsreport.com All should now be fixed! __________________

May 17th, 2007, 1:26 PM	#2 (permalink)
mgk Registered User Excelling Contributor Joined in Mar 2007 Lives in Wales Hosted on dime999 620 posts Gave thanks: 47 Thanked 46 times	Obviously as a shared or reseller customer that would need to be done by surpass rather than yourself __________________ Markus

May 17th, 2007, 1:37 PM	#3 (permalink)
Toby\|ABN Registered User Seasoned Poster Joined in May 2007 Lives in Reading, UK Hosted on reheat.abndns.net (dedi) 32 posts Gave thanks: 1 Thanked 1 Time in 1 Post	that is why its in the "dedicated server" forum __________________

May 17th, 2007, 1:43 PM	#4 (permalink)
mgk Registered User Excelling Contributor Joined in Mar 2007 Lives in Wales Hosted on dime999 620 posts Gave thanks: 47 Thanked 46 times	grin - I just read everything .... That aside. I wish surpass would do that on all servers anyhow __________________ Markus

May 17th, 2007, 1:48 PM	#5 (permalink)
Toby\|ABN Registered User Seasoned Poster Joined in May 2007 Lives in Reading, UK Hosted on reheat.abndns.net (dedi) 32 posts Gave thanks: 1 Thanked 1 Time in 1 Post	It took about 5min to do on my server, 5*how many servers surpass have is probably quite a while actually... I'm not sure what the benefits are of closing them but one of my clients was making a big fuss about it so I had to get it sorted! __________________

May 17th, 2007, 1:58 PM	#6 (permalink)
mgk Registered User Excelling Contributor Joined in Mar 2007 Lives in Wales Hosted on dime999 620 posts Gave thanks: 47 Thanked 46 times	not an urgent matter - but it just gives a good impression. __________________ Markus

May 18th, 2007, 1:35 PM	#8 (permalink)
Toby\|ABN Registered User Seasoned Poster Joined in May 2007 Lives in Reading, UK Hosted on reheat.abndns.net (dedi) 32 posts Gave thanks: 1 Thanked 1 Time in 1 Post	It is rather weird that they do acutally, considering the fuss that some people make about it! __________________

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search