PDA

View Full Version : DNS recursion bigfix doesn't fix anything (and 'unfixes' fixed configs)

breun
1st December 2006, 04:15 PM
The Plesk 8.1.0 release notes (http://download1.swsoft.com/Plesk/Plesk8.1/CentOS4.3/psa-8.1.0-centos4.3.build81061129.22.i586.html) say:

9. DNS recursion bugfix

DNS recursion option allows only localnet recursion by default.

While this is a good thing, I believe the bugfix is pretty buggy, because the upgrade to 8.1.0 put the following in my /etc/named.conf:

allow-recursion {
any;
};

Testing with http://www.kloth.net/services/nslookup.php for instance shows BIND allows recursion. I changed any to 127.0.0.1 and things are fine after restarting named.

Are other people seeing this too? I've done two upgrades to 8.1.0 so far and both boxes had allow-recursion set to any afterwards. Even if it was set to 127.0.0.1 before starting the upgrade, so the 'fix' actually 'unfixed' my configuration!
nb__
1st December 2006, 09:29 PM
My Fedora Core 4's named have a correct settings according to release notes. Your OS, dude?
breun
2nd December 2006, 06:41 AM
CentOS 4 on the first box, Fedora Core 3 on the second. Both ended up with 'allow-recursion { any };' in /etc/named.conf after the upgrade. What is the exact allow-recursion statement that the upgrade put in your config?
ItMan
2nd December 2006, 08:22 AM
For 8.0.1 Add all to named.conf


You can fix it manually:

named.conf.include.plesk-options

allow-recursion {
localnets;
};
breun
2nd December 2006, 08:43 AM
I understand I can fix this manually, but I shouldn't have to. And the update to Plesk 8.1.0 should definitely not change my config to allow recursion to any host!
breun
2nd December 2006, 08:51 AM
By the way, BIND would be even more secure if Plesk would set both allow-recursion and allow-query to localnets and all zones would explicitly allow-query to any. See http://archive.cert.uni-stuttgart.de/archive/bugtraq/2003/09/msg00170.html for an explanation why (hosts that are not able to use recursion still get answers for cached DNS entries).
ItMan
2nd December 2006, 09:56 AM
Originally posted by breun
I understand I can fix this manually, but I shouldn't have to. And the update to Plesk 8.1.0 should definitely not change my config to allow recursion to any host!
It is not critical, just worse that:

listen-on {127.0.0.1;}
breun
2nd December 2006, 10:13 AM
What do you mean exactly? I don't have listen-on { 127.0.0.1; } in my named.conf.
ItMan
2nd December 2006, 10:20 AM
After Update i have:
* recursion fixed
* but fixed listen-on, that bind didn't work at all.

sorry for my bad English =(