Published by justin on March 16, 2006 in HOWTOs and Linux
This howto is meant to be a quick fix for those moving from one server to two or those with two servers who want to disable recursion. This only works if at least one of your nameservers answers authoritatively for each zone already. I believe it should work for those with more than two servers as long as one of the nameserver listed for any given domain does answer authoritatively. But if you have more servers than two, you should probably looking to setup your dns properly rather than using this quick fix shown here.
This howto will show how to use forwarding in bind so that both your dns servers can answer for other zones of your own on other servers of yours but not have to be open dns relays — that is, to not recursively answer any queries for domains other than domains that are setup on one of your servers.
It’s been more common to see dns recursion-based ddos attacks, but many small one or two server hosts don’t want to disable recursion on their nameservers because they want their nameservers to be able to answer queries for domains on any of their servers and the time involved with setting up their dns system “properly” isn’t available (and possibly the risk of downtime if it was setup wrong is too great). This simple howto should help in those situations.
Note that this howto isn’t a good guide for proper dns, as you will end up with “lame” nameservers: nameservers that are listed as authoritative for the domain but don’t answer authoritatively.
Important note: Please be sure to backup all files before editing them. This is important in case things stop working, so you can quickly restore and be back working again.
Important note: If your /etc/resolve.conf only contains “nameserver 127.0.0.1″, you will definitely want to change that to include some other open (recursive-answering) nameserver. If you don’t, any attempt to resolve domains besides those on your servers by sites on your servers, you at the command line, etc. will fail.
Let’s imagine you have two servers hosting websites and you give your clients two nameservers to use for their domains, ns1.yourcompany.com and ns2.yourcompany.com. You want both of these nameservers to be able to answer requests for domains on any of your four servers (that is, the same server the nameserver is on and the other three). Both of the webservers are running one of the dns server that answers queries for the domains on that server (for example, they are both plesk servers with the dns server left on and nothing else special about them).
10.10.10.1 - ns1.yourcompany.com (and also web server #1, www1.yourcompany.com)
10.10.10.2 - ns2.yourcompany.com (and also web server #2, www2.yourcompany.com)
To make sure both of your nameservers can answer queries for the domains on all both servers but not for any other domains, you will setup bind on each server to forward requests to the other server only.
Here is what I’ll add to named.conf on each server (located at /etc/named.conf, or in plesk’s case at /var/named/run-root/etc/named.conf), in the options section of named.conf. The IP address listed will be the IP address of the other server, so below is what is added to named.conf on 10.10.10.1.
forward only;
forwarders {
10.10.10.2;
};
allow-recursion {
!10.10.10.2;
any;
};
and you may optionally want to add this to your named .conf files (adjust as needed), as your non-authoritative nameserver will for any given domain will not be getting updates as a proper slave nameserver would.
max-cache-ttl 7200; max-ncache-ttl 360;
And that’s all you have to do on both servers. After editing named.conf on a server, restart bind with:
[justin@localhost ~]$ service named restart
and test it to make sure you haven’t messed it up and that you don’t have failing dns for live sites and angry hosting clients.
Once you have done that for each server, you will be able to query either nameserver for a domain on either of the other servers and get a proper answer. Note that your answer won’t be authoritative when you query the server that the domain actually exist on. This will cause red flags when checking the domain with www.dnsreport.com, for example. But, AFAIK, nothing bad happens besides that.
Note that your nameserver will still report that they are open DNS servers, but they aren’t really.
And, of course, just to disclaim again: this is not a proper way to setup your dns. If you have the time and know-how you will instead want to set your dns properly where one of your nameservers is the master for any given zone and the other has the zone defined as a slave and gets it’s updates from the master. But, this can be a hassle for small hosts who don’t really need a perfect solution, but just a working one. Using plesk, one can either buy extra products (like plesk expand) or script a solution of your own. Scripting the solution adds in a fair bit of hassle and uncertainty to be bulletproof (for example, the biggest risk is probably that if a domain that your script had setup as a slave in the bind configuration was created on that same server for some reason, named may refuse to start because of the domain being defined twice? you could solve this by scripting domains to be setup in plesk also but with dns disabled when your script sets them up as a slave on that nameserver, but that would be annoying for it’s own reasons, in addition to using up a lot of extra domains on your plesk license which is an issue for those without unlimited domain licenses).
Also, if you want to test your nameservers yourself (not using sites like dnsstuff.com), you can use dig or host to do that, e.g.:
[justin@localhost ~]$ dig @ns1.yourcompany.com somedomain.com a
or
[justin@localhost ~]$ host somedomain.com ns1.yourcompany.com