View Single Post
  #2  
Old 26th January 2007, 14:08
martinfst martinfst is offline
Senior Member
 
Join Date: Dec 2006
Location: Hilversum, The Netherlands
Posts: 880
Thanks: 1
Thanked 18 Times in 17 Posts
Send a message via MSN to martinfst Send a message via Skype™ to martinfst
Default

I just found another "issue", which I modified on my systems. The named.conf template does not contain an include directive for the named.conf.options file, so I modified /root/ispconfig/isp/conf/named.conf.master as below:
Code:
options {
        pid-file "/var/run/bind/run/named.pid";
        directory "{BINDDIR}";
        auth-nxdomain no;
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
        // query-source address * port 53;
        include "/etc/bind/named.conf.options";
};

//
// a caching only nameserver config
//
zone "." {
        type hint;
......
<rest of unchanged file>
I also modified the bind.conf.options file to read:
Code:







        // If there is a firewall between you and nameservers you want
        // to talk to, you might need to uncomment the query-source
        // directive below.  Previous versions of BIND always asked
        // questions using port 53, but BIND 8.1 and later use an unprivileged
        // port by default.

        // query-source address * port 53;

        // If your ISP provided one or more IP addresses for stable 
        // nameservers, you probably want to use them as forwarders.  
        // Uncomment the following block, and insert the addresses replacing 
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        //  I have put here the IP's of my upstream ISP dns servers,
        // };
        forwarders {
                nn.nn.nn.nn;
                nn.nn.nn.nn;
        };

        // auth-nxdomain no;    # conform to RFC1035

        // By default, name servers should only perform recursive domain
        // lookups for their direct clients.  If recursion is left open
        // to the entire Internet, your name server could be used to
        // perform distributed denial of service attacks against other
        // innocent computers.  For more information on DDoS recursion:
        // http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0987

        allow-recursion { localnets; };

        // If you have DNS clients on other subnets outside of your
        // server's "localnets", you can explicitly add their networks
        // without opening up your server to the Internet at large:
        // allow-recursion { localnets; 192.168.0.0/24; };

        // If your name server is only listening on 127.0.0.1, consider:
        // allow-recursion { 127.0.0.1; };
I had to strip a bit here, because by default the bind.conf.options file starts with
Code:
options {
at the beginning, but that failed of course. You can not have the options directive twice. I realize these modifications are Linux distribution specific and I didn't investigate a more generic solution. Sorry, but this works short term for me and maybe this post helps other somewhere sometime.

The way I've done it now, my master domain passes all dnsstuff.com tests
Reply With Quote