DNS recursion impact sendmail

trueno_ray · 12-15-2010, 08:06 PM

Dear All,

I have a server provided dns and sendmail service, dns keeping record for my public servers. I don't want my server to be open dns server,
so I just add recursion and forwarders option to named.conf, like:
allow-recursion {192.168.x.x/24; 123.123.x.x/28; 127.0.0.0/8;};
forwarders {publicDNSipA; publicDNSipB;};

After restart named, all sendmail user can't mail to other internet account (like xxxxx@gmail.com); but local account is ok

version:
sendmail - 8.9.3
bind - 8.2.3

Is there any problem on my config?

Thanks your help

bathory · 12-16-2010, 12:40 AM

Hi,

Quote:

After restart named, all sendmail user can't mail to other internet account

You should give more details, like what's logged in /var/log/maillog, or what gives:

Code:

dig mx gmail.com

Anyway, use 127.0.0.1 instead of 127.0.0.0/8, as both bind and sendmail running on the same box, and see if it works.

Quote:

version:
sendmail - 8.9.3
bind - 8.2.3

You're running very old versions of both programs. Consider upgrading for security reasons.

Regards

trueno_ray · 12-16-2010, 01:02 AM

Thanks bathory,

I just find out after config recursion and forwarders to named, everything work fine, but after about 1 hour named and smtp server response time is very long, 2 hour later, I can't send mail to internet mail accout as I said, it seems response time out.

In /var/log/message, every second i get too many "denied recursion query" from a range of internet IP

bathory · 12-16-2010, 02:29 AM

Hi,

It looks like your name server suffer from some kind of DDOS. You should setup your firewall to block incoming traffic to port 53 udp/tcp at least for these hosts.
And once again consider upgrading.

Regadrs