DNS Recursion - How to disable for PCI compliance?
Howdy,
Does anyone know the correct way to edit /etc/named.conf and the right procedure to turn off recursion on VPS?
It seems like just changing recursion yes; to recursion no; doesn't do the trick.
I've seen stuff about "external view" but I don't really know what any of this means.
Thanks!
-
Hey hey! We've got the details on this here:
https://support.cpanel.net/hc/en-us/articles/6197108904087-How-to-setup-DNS-recursion-in-BIND
Is there a particular reason you want to enable this option? It's only use is to let your DNS server answer queries for domains it's not authoritative for, which is not a common configuration even on non-cPanel systems.
0 -
Thanks for the reply! But I want to disable, not enable.
0 -
You shouldn't need to do anything to disable this as it's disabled on all cPanel servers by default.
0 -
My recent PCI scan failed citing failed tests "DNS Server Cache Snooping Remote Information Disclosure" and "DNS Server Recursive Query Cache Poisoning Weakness".
A.I. said the fix was to edit /etc/named.conf and change the existing line
recursion yes;
to
recursion no;
I checked locally via cmd prompt to see if the fixed worked, using
nslookup google.com myserverip
Then I gave the results to A.I., which said the fix to the recursion problem had not worked.
But when I used https://iptools.net.au/dig with the hostname "google.com" and the custom nameserver set to my server's IP address, I got
Dig Result
No valid DNS records found.which apparently means that there is no recursion.
Plus, I have actually since passed my PCI rescan.
So, that's my story. I don't know what to make of all of it, but there it is.
Thanks!
0
Please sign in to leave a comment.
Comments
4 comments