Results 1 to 17 of 17
  1. #1
    Join Date
    May 2006
    Posts
    31

    DNS Setting help/advice.

    hello,

    i need some advice on vps setting DNS setting/entry. As i just use dnsstuff.com to test my dNS records and problems for my vps box. Notice that there is some warn & Fail on my vps. hope that i can get some advice what can i do to fix or enhance the security. as my vps service is a self managed vps

    System : VPS
    Control : WHM/Cpanel 10



    NS Setting
    --------------

    1) Fail - Open DNS Server
    how can i fix this setting or close this Open DNS Server

    2) Warn - Nameservers on seoatare Class C's & Fail - Single Point Of Failure
    Is this error common? as i check most of the domain i know, seen like this very common as most nameserver are point to the same server.


    SOA Setting
    -----------------
    3) SOA refresh value, SOA Retry value, SOA Expire value & SOA Min TTL Value
    all these value seen to be too high. I try to access to my whm via root acct, and change the value under Edit Dns zone but after 24hrs of waitting but nothing seen to be update. I do this with one of my personal domain, as not to screw up my main vps setting.

    Do i also have to edit those A, MX, NS, CNAME data also?



    Mail Setting
    --------------
    4) Warn - Mail server host name in greeting
    what do this do, my mail server seen to be woking fine.
    how can i fix this

    5) SPF rcord, is it a must or importance to set this?
    most of the site i check, all keep it remain as default

    6) Acceptance of post master address & Acceptance of abuse address.
    are these necessary? or not a must if these mail are not set/createdfor my mail
    - how can i find this postmaster? in cpanel mail setting?
    - abuse address? in cpanel mail setting too?




    thx
    Feng
    Last edited by FengYun; 09-15-2006 at 12:52 AM.

  2. #2
    Join Date
    Nov 2005
    Location
    /etc/fstab
    Posts
    1,274
    Code:
    1) Fail - Open DNS Server
    how can i fix this setting or close this Open DNS Server
    To fix this, login into shell with root and then edit named.conf file:
    Code:
    nano /etc/named.conf
    Now inside the "options {" ad the following:
    Code:
    recursion no;
    This will stop open dns server and recursion both.

    To fix the second warn problem you need to move your one dns server to another one with different hostname. As now both of your dns servers are giving the same server hostname results, it is giving you an warn.

    3) SOA refresh value, SOA Retry value, SOA Expire value & SOA Min TTL Value
    all these value seen to be too high. I try to access to my whm via root acct, and change the value under Edit Dns zone but after 24hrs of waitting but nothing seen to be update. I do this with one of my personal domain, as not to screw up my main vps setting.

    Do i also have to edit those A, MX, NS, CNAME data also?
    You need to change values as they are asking for. You can see the dns report, there they will advice some values. Just while editing zone file change the corresponding values to them. It wouldn't take 24 hours. It should take highest 5 mintues to load. But keep in mind after you change the zone file your rndc should be reloaded. Better make a restart your DNS server from WHM.

    5) SPF rcord, is it a must or importance to set this?
    most of the site i check, all keep it remain as default
    http://openspf.com is your answer Its a spam filtering policy under dns configurations. According to the RDNS rules, you must have a spf rule under your current domain ns configuration.

    Acceptance of post master address & Acceptance of abuse address.
    are these necessary? or not a must if these mail are not set/createdfor my mail
    - how can i find this postmaster? in cpanel mail setting?
    - abuse address? in cpanel mail setting too?
    You just need to add a [email protected] and [email protected] email to solve this problem. It is also belongs from the rdns rules

    4) Warn - Mail server host name in greeting
    This occurs because your mailserver identifies itself as a hostname that either does not exist, or exists but is on a different IP.


    In this case, you need to either [1] change the hostname that the mailserver identifies itself to the real hostname of the server, or [2] add/change the A record for the hostname that the mailserver identifies itself as to point to the IP address of the mailserver.
    Mellowhost - Providing High Quality Web Hosting Services since 2007
    SSD Cpanel Shared, SSD OpenVZ & KVM VPS Hosting
    A Hosting Provider with Complete SSD VPS & Shared Hosting.

  3. #3
    Join Date
    May 2006
    Posts
    31
    Thanks you hadrick for the reply,
    it help me alot, i give it a try later on when i got the time
    b4 i touch my vps box, can i recheck on some more question, really sorry for this really make me feel like a noobie...

    as for the problem on open DNS, i also read about other solution, now i not sure which one to follow. and by doing this, will it break the vps?

    1) http://webhostingtalk.com/showthread...pen+DNS+Server
    2) http://help.godaddy.com/article.php?...d=GoDaddy&isc=
    3) http://www.webhostgear.com/321.html


    which the code may look like these?
    options {
    directory "/var/named";
    allow-recursion { trusted; };
    allow-notify { trusted; };
    allow-transfer { trusted; };
    dump-file "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    /*
    * If there is a firewall between you and nameservers you want
    * to talk to, you might need to uncomment the query-source
    * directive below. Previous versions of BIND always asked
    * questions using port 53, but BIND 8.1 uses an unprivileged
    * port by default.
    */
    // query-source address * port 53;
    };
    Or the final result looks something like this ??
    options {
    recurision no;
    }

    2) For my 2nd problem, Warn - Nameservers on seoatare Class C's & Fail - Single Point Of Failure.
    is that normal, i also read that this is almost very comman as everyone is doing it. But, will it cause any problem to the server/vps


    3) SOA, Just to check, if i set my SOA to these value is it good?
    - SOA Refresh value : 3600 sec (lower value)
    - SOA Retry value : 120 sec (lower Value)
    - SOA Expire value : 1209600 sec (lower value)
    - SOA Min TTL value : 3600 sec (lower value)


    4) Warn - Mail server host name in greeting
    to slove this, i have to fix the A' record?
    i will try to post my screen shoots once i have time to access my box


    5) SPF rcord, i will give it a try and update everyone on what is the outcome


    6) Acceptance of post master address & Acceptance of abuse address.
    for this, i dont think it is necessary for us.... think we will ingore it for now

  4. #4
    Join Date
    Nov 2005
    Location
    /etc/fstab
    Posts
    1,274
    For open dns follow the godaddy way or do this on named.conf:
    Code:
    options {
    recurision no;
    }
    Do not follow the webhostgear way. As there you would get some processes which are really not in need.

    2) For my 2nd problem, Warn - Nameservers on seoatare Class C's & Fail - Single Point Of Failure.
    is that normal, i also read that this is almost very comman as everyone is doing it. But, will it cause any problem to the server/vps
    Most of the time people let it be like this. But if you want to solve this problem then the better way is to use this:
    http://www.everydns.net

    They will provide your their dns with 4 C class places. Get the paid offer to make it compatible with your domain

    3) SOA, Just to check, if i set my SOA to these value is it good?
    - SOA Refresh value : 3600 sec (lower value)
    - SOA Retry value : 120 sec (lower Value)
    - SOA Expire value : 1209600 sec (lower value)
    - SOA Min TTL value : 3600 sec (lower value)
    Best Values are Here:
    - SOA Refresh value : 3600 sec
    - SOA Retry value : 120 sec
    - SOA Expire value : 1239600 sec
    - SOA Min TTL value : 3900 sec

    This values are compatible with the BIND configuration, thats why i use these values all the time. But its your choice to choose any of them.

    4) Warn - Mail server host name in greeting
    to slove this, i have to fix the A' record?
    i will try to post my screen shoots once i have time to access my box
    Yes, you need to add A Entry for you hostname. It should be fixed after that.

    Best of luck, let me know if you need anymore help

    Regards
    Mellowhost - Providing High Quality Web Hosting Services since 2007
    SSD Cpanel Shared, SSD OpenVZ & KVM VPS Hosting
    A Hosting Provider with Complete SSD VPS & Shared Hosting.

  5. #5
    Join Date
    May 2006
    Posts
    31
    Thanks bro for the great help and here is some update on what i have done
    really sorry for all this newbie questioin

    1) Fail - Open DNS Server
    i have login into shell with root and then edit named.conf file:
    nano /etc/named.conf

    *inside the "options {" *
    i add recursion no;
    so, final result..... *noted i only add "recursion no;" The rest is my default
    options {
    directory "/var/named";
    dump-file "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    /*
    * If there is a firewall between you and nameservers you want
    * to talk to, you might need to uncomment the query-source
    * directive below. Previous versions of BIND always asked
    * questions using port 53, but BIND 8.1 uses an unprivileged
    * port by default.
    */
    // query-source address * port 53;
    recursion no;
    };
    I make the changes, save and exit..... But after waited for 2hours, i check on the dns report,
    i still have the open dns error... do i have to reoot the server?
    - is there any diff ebtween "nano" & "pico"? both seen to edit file

    *i also check on the help on : http://www.dnsreport.com/info/opendns.htm
    do i also have to use this :
    • "allow-recursion { ADD_LIST_OF_YOUR_IP_RANGES_HERE; }" line in the "options" section.
    i also notic that : Use caution; BIND files are easy to break
    mean BIND can break my VPS easy?





    Attach is part my main vps setting for the
    Are these setting correct or best value? so that i can continue with my rest of the dns setting
    - Domain Time To Live (14400)
    -
    Nameserver Time To Live (3600)
    -
    Master Nameserver (empty)

    *
    oh, i amlost forget*
    For my Main VPS Domain, i have this error : No NS A records at nameservers
    the other rest of my domain i host are all fine with out this error
    Attached Thumbnails Attached Thumbnails -Server.jpg  
    Last edited by FengYun; 09-15-2006 at 10:19 AM.

  6. #6
    Join Date
    May 2006
    Posts
    31

    SOA Setting

    Here is my SOA setting

    which i follow hadrick wounder advice
    Best Values are Here:
    - SOA Refresh value : 3600 sec
    - SOA Retry value : 120 sec
    - SOA Expire value : 1239600 sec
    - SOA Min TTL value : 3900 sec

    after i have make the change on Main >> DNS Functions >> Edit DNS Zone
    the SOA work fine... no more warring/fail



    Attach is my current setting
    Please Note : my-server.com ( this is an example of my 'Main' vps domain )
    dns1.my-server.com & dns2.my-server.com (example of my 'Main' nameserver)
    domain1.com (this is an example of my personal domain use for this test)

    is my setting is correct for the rest of the "NS", "A", "MX", "CNAME"
    Attached Thumbnails Attached Thumbnails -Server_config1.jpg  
    Last edited by gbjbaanb; 09-21-2006 at 02:34 PM.

  7. #7
    Join Date
    Nov 2005
    Location
    /etc/fstab
    Posts
    1,274
    You just reboot your dns server from whm or from shell using the following command:

    Code:
    service named restart
    And it will give no more error on open dns i hope so

    do i also have to use this :
    • "allow-recursion { ADD_LIST_OF_YOUR_IP_RANGES_HERE; }" line in the "options" section.
    i also notic that : Use caution; BIND files are easy to break
    mean BIND can break my VPS easy?
    Allow recursion is for some specific domains, although most of the time it is not required. And BIND files are easy to break means it is quite easy to understand how BIND is working. It will not break your vps

    Regards
    Mellowhost - Providing High Quality Web Hosting Services since 2007
    SSD Cpanel Shared, SSD OpenVZ & KVM VPS Hosting
    A Hosting Provider with Complete SSD VPS & Shared Hosting.

  8. #8
    Join Date
    Sep 2000
    Location
    Alberta, Canada
    Posts
    3,109
    This should help one of your problems.

    Code:
    Just under 'controls' entry, add the following. 
    
    //  Addition to prevent 'Open DNS Server' as reported at DNS Report
    
    // Part One Start
     acl "trusted" {
     xxx.xxx.xxx.xxx; << enter the base IP of the server
     127.0.0.1;
     };
    // Part One End
    
    
    options {
            directory "/var/named";
            dump-file "/var/named/data/cache_dump.db";
            statistics-file "/var/named/data/named_stats.txt";
            /*
             * If there is a firewall between you and nameservers you want
             * to talk to, you might need to uncomment the query-source
             * directive below.  Previous versions of BIND always asked
             * questions using port 53, but BIND 8.1 uses an unprivileged
             * port by default.
             */
             // query-source address * port 53;
    
    // Part Two Start
    version "not currently available";
    allow-recursion { trusted; };
    allow-notify { trusted; };
    allow-transfer { trusted; };
    // Part Two End
    
    };
    And this should help with another.

    WHM > DNS Functions > Add an A Entry for your Hostname
    PotentProducts.com - for all your Hosting needs
    Helping people Host, Create and Maintain their Web Site
    ServerAdmin Services also available

  9. #9
    Join Date
    May 2006
    Posts
    31
    wow, thank you guys for the help
    i just give it a try and reboot the "DNS Server (BIND)" Under my Cpanel
    and it work well the Open DNS servers problem have been slove
    weee

    i only add in "recursion no;" as follow in the named.conf, save & and reboot DNS Server (BIND)
    options {
    directory "/var/named";
    dump-file "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    /*
    * If there is a firewall between you and nameservers you want
    * to talk to, you might need to uncomment the query-source
    * directive below. Previous versions of BIND always asked
    * questions using port 53, but BIND 8.1 uses an unprivileged
    * port by default.
    */
    // query-source address * port 53;
    recursion no;
    };



    Now, next is some update on the SOA & DNS zone edit
    i have tested and try these value ( Which go very well )
    - SOA Refresh value : 3600 sec
    - SOA Retry value : 120 sec
    - SOA Expire value : 1239600 sec
    - SOA Min TTL value : 3900 sec


    Now what i need to do is to updated & edit my Edit Zone Template .
    so that the next time i help my client to create an account, i will not have to redo these setting manually
    Under whm/cpanel : DNS Function --> Edit Zone Template
    -simple
    -standardvirtualftp
    -standard

    so, am i right to say under these 3 template. i can safety change these value
    and it will match the value i tested above?
    86400 ; refresh, seconds (from 86400 ---> 3600)
    7200 ; retry, seconds (from 7200 ---> 120)
    3600000 ; expire, seconds (from 3600000 ---> 1239600)
    86400 ) ; minimum, seconds (from 86400 ---> 3900)
    i also need some advice, on my post #6
    is my setting for "NS", "A", "MX", "CNAME" correct?



    For my other problem No NS A records at nameservers
    -
    as adviced by :
    WHM > DNS Functions > Add an A Entry for your Hostname
    what kind of A' Entry i need to add for my Hostname? coz i not really sure on these thing.



    really thanks for the help and advice
    seen like i almost slove 80% of the problem
    beer is on me

  10. #10
    Join Date
    Nov 2005
    Location
    /etc/fstab
    Posts
    1,274
    I m quite happy by seeing that 80% is done And wishing to make it complete.

    Although to change the zone template for the newly created domains you just need to change the template of -standardvirtualftp

    Here is a simple Zone template you would need:

    ; cPanel %cpversion%
    ; Zone file for %domain%
    $TTL %ttl%
    @ %nsttl% IN SOA %nameserver%. %rpemail%. (
    %serial% ; serial, todays date+todays
    3600 ; refresh, seconds
    120 ; retry, seconds
    12960 ; expire, seconds
    3900 ) ; minimum, seconds
    %domain%. %nsttl% IN NS %nameserver%.
    %domain%. %nsttl% IN NS %nameserver2%.
    %domain%. %nsttl% IN NS %nameserver3%.
    %domain%. %nsttl% IN NS %nameserver4%.
    %domain%. IN A %ip%
    localhost.%domain%. IN A 127.0.0.1
    %domain%. IN MX 0 %domain%.
    mail IN CNAME %domain%.
    www IN CNAME %domain%.
    ftp IN CNAME %domain%.
    A entries are IP entry for your domain names. You can do the "Add an A entry for your hostname" if and if the hostname domain means the domain which subdomain is used for hostname (Like if host.domain.com then domain.com is the main domain) hosted with the same server. To check the dns entry done or not you do the following:

    Go to DNS Function >> Edit DNS Zone >> Select the domain >> Check the hostname subdomain (means if host.domain.com then "host") name is poiting to an A entry and the IP is your current server or not.

    Thats it let me know the result.

    Regards
    Mellowhost - Providing High Quality Web Hosting Services since 2007
    SSD Cpanel Shared, SSD OpenVZ & KVM VPS Hosting
    A Hosting Provider with Complete SSD VPS & Shared Hosting.

  11. #11
    Join Date
    May 2006
    Posts
    31
    yes, thank you for your help hadrick
    i doing my best to get my box as secure as i can.
    will keep everyone update don what i have done.

    for all newly created domains i just need to change the template of
    -standardvirtualftp

    what about the rest?
    just to be safe, i can also update these?
    -simple
    -standard

    something i notice,
    1239600 ; expire, seconds (not 12960 right?)



    well here more detail on my "No NS A records at nameservers" on my main acct.
    When i check on dnsreport, i got there error :
    Nameserver ip1.ip1.ip1.ip1 did not provide any IPs
    Nameserver ip2.ip2.ip2.ip2 did not provide any IPs

    as i was giving 2ip address when i singup for my box they are ip1 & ip2
    i will attach my current print screent. i dont want to screw up my box and
    as there are 5 client on it. as i not sure what field i need to add to my A' record.



    the rest of my problem are almost slofe. only left with the :
    - Nameservers on separate class C's (may leave it as it is)
    - Single Point of Failure (may leave it as it is)
    - Acceptance of postmaster address (which i think it not so urgent)
    -
    Acceptance of abuse address (which i think it not so urgent)
    -
    SPF record (need to read more n understand more b4 i start)


    cheer

    ps, for BIND files are easy to break means it is quite easy to understand how BIND is working...
    at first i really thought that my box can break easy^^
    make me worry there abit
    Attached Thumbnails Attached Thumbnails -Main.jpg  

  12. #12
    Join Date
    Nov 2005
    Location
    /etc/fstab
    Posts
    1,274
    what about the rest?
    just to be safe, i can also update these?
    -simple
    -standard

    something i notice,
    1239600 ; expire, seconds (not 12960 right?)
    Yes you can edit them too but those are not recommended all the time. And thats was a general fault, i made a little mistake while putting a 0 at the end

    You add the A entry like i showed in the screenshot. I think server.my-server.com is your hostname. So you should enter ns1 and ns2 both.

    Check the attachment. Add the ip1 and ip2 for your ns1 and ns2 entry. And then save it and restart your dns.

    Regards
    Attached Thumbnails Attached Thumbnails untitled.JPG  
    Mellowhost - Providing High Quality Web Hosting Services since 2007
    SSD Cpanel Shared, SSD OpenVZ & KVM VPS Hosting
    A Hosting Provider with Complete SSD VPS & Shared Hosting.

  13. #13
    Join Date
    Jan 2006
    Posts
    71
    what about :
    -Single Point of Failure : WARNING: Although you have at least 2 NS records, and they appear to point to different physical servers, it looks like they share the same firewall. This results in a single point of failure, which could cause all your DNS servers to be unreachable.


    is it a same class c warning ?

  14. #14
    Join Date
    Nov 2005
    Location
    /etc/fstab
    Posts
    1,274
    Correct! It is the same like C class warning. This rule has been implemented on RFC on the last DNS conference in Chicago. Before that it wasn't in the dnsreport as they maintain the RFC rules

    Try everydns.net or use different physical dns server to solve the problem

    Regards
    Mellowhost - Providing High Quality Web Hosting Services since 2007
    SSD Cpanel Shared, SSD OpenVZ & KVM VPS Hosting
    A Hosting Provider with Complete SSD VPS & Shared Hosting.

  15. #15
    Join Date
    Jan 2006
    Posts
    71
    but its give me FAIL its ok ?

  16. #16
    Join Date
    May 2006
    Posts
    31
    well, here is some update

    1) Fail - Open DNS Server
    Fixed ~ update the named.conf

    2) Warn - Nameservers on seoatare Class C's & Fail - Single Point Of Failure
    will try to fix this soon, due to some meeting with my other partneer & security reason. we will not try other 3rd party dns. To fix this, we have to get another server and config it as my 2nd nemeserver?

    3) SOA refresh value, SOA Retry value, SOA Expire value & SOA Min TTL Value
    Fixed ~ Config the DNS zone

    4) Warn - Mail server host name in greeting
    Fixed ~ somehow by restarting the mail service

    5) SPF rcord
    Not Fix ~ will try to understand more b4 we give it a try

    6) Acceptance of post master address & Acceptance of abuse address.
    Think is in not so inportance, might as well leave it this way.

    7) No NS A records at nameservers
    Fixed ~
    Added ip1 and ip2 for my dns1 and dns2 entry


    problem almost all fixed



    now, need advice on the SOA timing
    in the @ 3900 in SOA ---> is this setting ok?
    or should i leave it as default valus 86400?


    domain.com ---- 86400 ---- IN ---- NS ---- dns1.domain.com
    domain.com ---- 86400 ---- IN ---- NS ---- dns2.domain.com
    Is this value ok? 86400?
    or i should set it to 3900 as well?

    do anyone have some guild on how can i set a good/prefer/best value to these setting
    Last edited by FengYun; 09-20-2006 at 05:21 AM.

  17. #17
    Join Date
    Nov 2005
    Location
    /etc/fstab
    Posts
    1,274
    Quote Originally Posted by 4mhf
    but its give me FAIL its ok ?
    Yup, because this fail doesn't come up with your dns accessing.

    domain.com ---- 86400 ---- IN ---- NS ---- dns1.domain.com
    domain.com ---- 86400 ---- IN ---- NS ---- dns2.domain.com
    Is this value ok? 86400?
    This settings is quite good. But 3900 is the best value. But you also can use 86400 for TTL. As those values are quite stable and 3900 is in the middle of all two.

    now, need advice on the SOA timing
    in the @ 3900 in SOA ---> is this setting ok?
    or should i leave it as default valus 86400?
    Both should work fine with Cpanel BIND server. But 3900 is the best value as explained above. But if you leave it with the default value then it should work fine.

    Regards
    Mellowhost - Providing High Quality Web Hosting Services since 2007
    SSD Cpanel Shared, SSD OpenVZ & KVM VPS Hosting
    A Hosting Provider with Complete SSD VPS & Shared Hosting.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •