Thread: DNS problem
View Single Post
  #14  
Old 19th July 2010, 01:56
matty matty is offline
Member
 
Join Date: Apr 2010
Location: Australia
Posts: 85
Thanks: 2
Thanked 12 Times in 11 Posts
Default

Quote:
Originally Posted by veuster View Post
After I read this thread, you suggest to change the parameter in named.conf.
I tried it and it works like a charm. My website can be accessed now.
What I want to ask is :
Is it OK to make this change? I mean secure or anything?
Yes, it's fine for a server that needs zones to be publically accessable.

It's important to understand a couple of concepts about name servers. When you host a zone, the name server becomes an authoritative name server. That is, your name servers are the only ones in the world that can answer queries authoritatively (meaning it has the exact, non-cached answer) for that zone. Because we're running ISPConfig, we probably want everyone in the world to be able to ask our nameservers about the the zones we host, so that they can see the sites and services we host. To enable that, we need to set bind to allow-queries from any(where).

allow-query { any; };

The other main function of name servers is to do the work querying other name servers that host other peoples zones, so that we can connect to their sites and services. This is a function known as recursion. That is, we ask our name server to find out the address of a site, and it then goes and makes multiple queries until it obtains an answer (or fails) and then passes that answer back to your computer. It's best practice to only allow your name server to perform recursive lookups for computers you control or trust, and not allow everybody on the 'net to use your name server in that way. So you tell bind who is allowed to do recursion. In this example, use your own networks, and don't forget to allow localhost so the nameserver can access its own service. An ISP would probably allow the IP ranges of its user base.

allow-recursion { 192.168.0.0/24; 192.168.3.0/24; localhost; };

The other parameter I mentioned, listen-on, tells bind to only answer queries it receives on the specified network interfaces. If it is left as localhost/127.0.0.1, it will ignore queries from anywhere but itself.

listen-on { any; };

Advanced users may have a need to do things a little different to the examples above, but these will suit 99% of us that use ISPConfig to host publicly accessable DNS zones and web/email servers.

Quote:
Because I followed the perfect server guide and the guide says nothing about this. The guide just put localhost or 127.0.0.1 in the parameter
There's quite a few perfect server guides. I'm sure falko and till would appreciate feedback that could be used to improve them. Could you point out which one you used?
Reply With Quote