Recursion question

Fr34k freaknetboy at yahoo.com
Fri Oct 6 21:35:09 UTC 2006


RE: OPEN DNS:
Authoritative DNS servers should only respond to queries about the domains they
are authoritative for. If they support other queries, then that check will say
"FAIL". See the Information next to this check for the details (cache
poisoning, etc.) for why this check is there.

When a server is used/configured for both caching and authoritative DNS, then
it will fail this check. Perhaps there are other situations as well which I am
unaware.

Is this critical? Depends on your environment, risk, etc.

RE: STEALTH errors
The cliff notes version of this is that the registrar says a domain's auth DNS
servers are:
ns1.auth.dot
ns2.auth.dot
But the NS records on these servers also list a ns3.auth.dot as well.

So, the failures. Either add ns3.auth.dot to the list of auth DNS servers for
the domain at the registrar or remove that NS record. Or, as dnsreport will
say, but sure you know what you are doing :)

HTH -- Chris

--- Steve Ingraham <singraham at okcca.net> wrote:

> I have a question concerning my name servers.  In doing a check of my
> DNS configuration I ran a DNS report from www.dnsreport.com
> <http://www.dnsreport.com/> .
>  
> 
> One of the failures the report noted on our NS records is that our
> domain failed the open DNS server test.  Is this a critical issue I
> should resolve?  What problems should I be aware of with this issue?
> 
>  
> 
> I have read where I should set:
> 
>  
> 
> Options {
> 
> recursion=no;
> 
> };
> 
>  
> 
> in the named.conf file.  Is that all I need to do to correct this
> problem?
> 
>  
> 
> Two other failures have me concerned.  One states I have a "Missing
> Stealth Server".  Another states that there is a "Stealth NS record
> leakage".  Can someone explain what these two failures are about and
> what I need to do to correct them?
> 
>  
> 
> Thanks in advance for all advice on this.
> 
> Steve Ingraham
> 
> Director of Information Services
> 
> Oklahoma Court of Criminal Appeals
> 
> singraham at okcca.net
> 
> 405 522-5343
> 
>  
> 
> 
> 
> 



More information about the bind-users mailing list