The NS triggering the warning is running openSUSE 10.2 and the other one 11.1. Both configuration files /etc/named.conf are equivalent (well, forwarders are different). There is no such warning for the NS with 11.1.
When I add “recursion no;” to the options in /etc/named.conf the warning goes away, but FF or SeaMonkey running on the server no longer get their DNS requests resolved.
Recursion should be no for nameservers that provide authoritative resolution for a domain, and yes for forwarding nameservers. It sounds like you have a nameserver that does both jobs. If so, you should run separate nameservers for the two roles, or if not possible, use the views feature. Not sure what your configuration looks like.
Unless the purpose of the DNS server is to provide full public service (opendns.org for example), your servers should never answer general queries from the general public unless it is a designated public nameserver for particular domains. And then, it should only answer queries related to those domains for which it is specifically designated. e.g. If it’s a designated nameserver for example.com (slave or master) then it should answer the public regarding individual queries about example.com. If a public request asks the same server to resolve any request for which that server is not a disgnee then it should reply only with a refusal. The only exception is trusted clients, say your home and/or work networks, for which you may well wantyour DNS servers to give unrestricted full replies.
There are several ways to go about this though I’ll illustrate just the simple ideology that I generally use.
in a default openSUSE /etc/named.conf you’ll find a line that says #allow-query { 127.0.0.1; };
un-comment that line and replace 127.0.0.1 with your own CIDR notated IP network/s, separated by ; if you need to specify several networks as shown below.
allow-query { 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
When you do this, you no longer need to set recursion false; (in fact you shouldn’t) because the allow-query above generally restricts queries to only trusted hosts anyway. All other queries will be refused unless…
… you want the same server to answer public queries for specific domains (i.e. your own) then, in their zone definition, just add a line that says
allow-query { any; }; to that specific domain.
Working together, these two simple things allow your DNS server to do full work for your specified networks and refuse all queries from other clients unless they are for those zones that you’ve specifically designated to allow-query from any.
Just another note: the procedure suggested by lccts1 works perfectly; however, when I run the nameserver check on the domain registrars site, the warning persists. Probably I have to ignore it.
Did you upgrade the nameserver on 10.2 to the most recent version? Since 10.2 is out of support, you would have to compile your own. There was a very serious design vulnerability in all nameservers a while back, and nobody should be running any old versions.
Vodoo, I don’t have a 10.2 box to test this but Ken may be right, there may just be a bug if you’re still “failing” the recursive check.
A thought though… do you know what address the test is running from? Make sure the testing address is not encompassed by the networks you entered in the main allow-query. The sample allow-query I posted is pretty broad, allows all RFC1918 private addresses full query access. It’s possible that’s what you want, or maybe not. At any rate, make sure the main named.conf allow-query is set to only and exactly the networks you actually want to have full query access.
If unsure, run the registrar test and then check your query logs to see what IP address the query/queries came from. If you don’t have logging enabled I can help you set it up because logs really help when troubleshooting.
In the meantime I compiled and installed the latest stable bind-9.7.1-P2 on the old server running 10.2 and — oh wonder! — the warning message has gone away. This was obviously an issue with bind.
@ken_yap: Thanks; you were right on the spot with your suggestion.
@lccts1: yes, my logs are enabled and my allow-query{…}; was restricted to the actual private C-net used for the LAN.
>
> I have registered 2 nameservers running bind for a certain domain. The
> log file of my domain name provider (‘SWITCH’ (http://www.switch.ch))
> shows the following warning:
>
>> Warning Der Name-Server ns.xxxxx.ch (nn.nn.nn.nn) beantwortet
>> rekursive Anfragen.
>
> In English that would be:
>
>> Warning: Name-Server ns.xxxxx.ch (nn.nn.nn.nn) answers recursive
>> queries.
>
> The NS triggering the warning is running openSUSE 10.2 and the other
> one 11.1. Both configuration files /etc/named.conf are equivalent
> (well, forwarders are different). There is no such warning for the NS
> with 11.1.
>
> When I add “recursion no;” to the options in /etc/named.conf the
> warning goes away, but FF or SeaMonkey running on the server no longer
> get their DNS requests resolved.
>
> What’s happening here?
You should only allow recursive queries for your own network, not for
everybody.
