I've just setup my new DNS on two DELL optiplex GX110 running Slackware 10.2 - current. I've transfered all my /var/named stuff into the new boxes and everything ran out of the box except one thing. When i go to dnsstuff.com i get the following:

ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are:
Server 205.x.x.x reports that it will do recursive lookups. [test]
Server 205.x.x.x reports that it will do recursive lookups. [test]

Any input will be greatly appreciated.
Thanks

I've fixed it and for now it seems like everything is running up and stable. I've read a lot of stuff about recursion and it seems like in the general case it's better to disable it. So what i did was i added the following to my named.conf(it's just the "recursion no;" switch):

// BIND9 configuration file
// automatically generated Tue Feb 21 15:49:26 2006
//
// Do not edit this file by hand. Your changes will be lost the
// next time this file is automatically re-generated.

options {
directory "/etc/named";
// spoof version for a little more security via obscurity
version "100.100.100";
// no forwarders defined
allow-transfer { 205.x.x.x; 205.x.x.x; };
// recursion allowed
recursion no;
};

If anyone considers this setup as being wrong pls let me know why/why not. tnx

First of all, do you really need BIND?
Pdnsd should do perfectly fine for a caching-only NS...


I've read a lot of stuff about recursion and it seems like in the general case it's better to disable it.
"recursion no" will deny anyone access to recursion functionality and if you want that for a reason that's fine.
If you would like to allow recursion from say your LAN clients you could add an ACL for those IP's then add an "allow-recursion" directive in the "options" container.

If this is an authoritative NS then you might want to look at some docs on securing DNS just in case you missed something:
Secure BIND Template Version 5.1 05 JAN 2006: http://www.cymru.com/Documents/secur...-template.html
Securing an Internet Name Server: http://www.securiteam.com/securitynews/5VP0N0U5FU.html
DNS Security and Vulnerabilities: http://www.l0t3k.org/security/docs/dns/

The truth of it is that i've "upgraded" from two SUN Cobalts RAQ550 to the two Optiplexes with Slackware 10.2 - current since upgrading all the packages was always a big problem for me and not worth spending the time anymore. To be quite honest this is my first DNS setup and i did not know quite what i was doing. It was as simple as transfering the content from /var/named to the new boxes with some minor modifications of named.conf. Then i setup the new shorewall on both i thought that that would be enough but now when i look at dnsstuff.com i see tests that fail with no explanation from my side since i'm not that DNS setup savy. I've removed the recursion switch from the cabinet since it stoped resolving from the internal to the outside iNet which was expected . Thanks so much for the manuals -=> the templates are quite helpfull. I'm thinking to rewrite the whole named.conf and zones if i have to. I'm just trying to make it as simple as possible since the person who will "administrate" it will/and knows how to use Webmin only. That's it for now.

laterz