security problem: cpanel allows DNS zonetransfers for everyone!

[mahdionline]

The quickest and easiest way to block this is to do the following;

edit /etc/named.conf

add the following just before logging

options {
directory "/var/named/";
version "Not telling you";
allow-transfer { IP's that are allowed (slaves/master); };
};

save it and restart named.

Also cPanel will NOT overwrite this change.

To test, run nslookup from your desktop
C:\>nslookup
Default Server: nsctor1.bellnexxia.net
Address: 209.226.175.223

>

type
> ls domain.com

You should get something like the following;

> ls virtual-hosting.ca
[nsctor1.bellnexxia.net]
*** Can't list domain virtual-hosting.ca: Query refused

i do this instruction but in nslookup.exe , it show me list of names ! what's th eproblem.

regard

[jsteel]

find out if your dns server is fuc*i* lame.
dnstuff.com

http://www.dnsstuff.com/tools/lookup...l.net&type=ALL

should like the above. also...

http://www.dnsreport.com/tools/dnsre...ain=cpanel.net

will give you more info and let you know what needs to be setup correctly. otherwise.. hand over your ip :P

Dont' trust everything at dnsreport.com. They will red flag things that are still permissible by the DNS RFC (such as stealth nameservers). It unfortunately can give people a false sense that something is wrong, when in fact there is nothing wrong.

[icanectc]

This is what I get:

Oct 20 10:31:50 *** named[******]: /etc/named.conf:21: missing ';' before '(slaves'
Oct 20 10:31:50 *** named[******]: /etc/named.conf:21: missing ';' before '/'
Oct 20 10:31:50 *** named[******]: /etc/named.conf:21: expected IP match list element near '/'

LINE 21 is : allow-transfer { IP's that are allowed (slaves/master);

[chirpy]

This is what I get:

Oct 20 10:31:50 *** named[******]: /etc/named.conf:21: missing ';' before '(slaves'
Oct 20 10:31:50 *** named[******]: /etc/named.conf:21: missing ';' before '/'
Oct 20 10:31:50 *** named[******]: /etc/named.conf:21: expected IP match list element near '/'

LINE 21 is : allow-transfer { IP's that are allowed (slaves/master);

Well, it should read:

allow-transfer { IP's that are allowed (slaves/master); };

Note the number of semi-colons. So, if you want to allow transfer requests from 11.22.33.44 and 44.33.22.11, then that line would look like this:

allow-transfer { 11.22.33.44; 44.33.22.11; };

[icanectc]

Its the last } I did not add. It's working now thanks!

[gonzov]

I have prorbles with my dns zones all domains go to a main ip address , I delete account in whm and create again but not work
what is the problem ?

[gonzov]

alguien que hable español para que me ayude con los dns zones ke no sirven en mi servidor dedicado
tengo problemas con el dns zone no se como editarlo y arreglarlo.

[mahdionline]

I do the instruction ,but now when i go to nslookup.exe and type
> is adomainname.com

it show me a list of names and not show your written message.
what's the problem ?

regrad

[dgbaker]

It's not `is domain.com` it is `ls domain.com` lowercase L

[mahdionline]

I do the instruction but now when i go to nslookup.exe and type

> is adomainame.com

is show me a list of names !

What's the problem ?

Regard

[ispro]

Here is what we are using at the moment. Add this after controls. Make sure that you have no more options as it is will cause bind/named to fail.

Code:

acl "slaves" {
        127.0.0.1; localhost;
};

acl "masters" {
        127.0.0.1; localhost;
};

acl "trusted" {
        127.0.0.1; localhost;
};

logging {
	category lame-servers { null; };
};

options {
	statistics-file "/var/run/named/named.stats";
        allow-transfer { slaves; masters; trusted; };
        allow-recursion { trusted; };
        allow-notify { masters; };
};

There slaves are the Slave DNS servers, masters are the Master DNS servers and trusted are the server you trust and allow to do recursive lookups and request the DNS zones in full. Usually save to keep by default.

This will also generate the statistics file to the "/var/run/named/named.stats" (not forget to execute "/usr/sbin/ndc stats" prior!)
It could be used by MRTG for example.

P.S. I'm not sure if the allow-notify should include masters only. It is supposed to add there hosts which may force zone update, isn't it? So they should be the Master DNS servers only? Anyone who using DNS clusters to clear this up?

[chirpy]

Probably overkill using so many ACL's. This is what I use, which will achieve the same thing:

Code:

acl "trusted" {
        11.22.33.44;
        44.33.22.11;
        66.55.44.33;
        127.0.0.1;
};

options {
        directory "/var/named";
        version "not currently available";
        allow-recursion { trusted; };
        allow-notify { trusted; };
        allow-transfer { trusted; };
};

Where the IP addresses all the other participants in your DNS cluster, including the server you are on, which makes it nice and easy to duplicate for all your servers.

[ispro]

Your setup is has sense also.

We just would like to tune each setting using "security through obscurity" method where everything shoulb be blocked, and then necessary things allowed only.

Do you have any valid information that using several ACLs in named.conf may slow down it?
I heard nothing about that.

[chirpy]

I doubt that it would make any difference to performance at all.

[jamesbond]

Code:

acl "trusted" {
        11.22.33.44;
        44.33.22.11;
        66.55.44.33;
};

options {
        directory "/var/named";
        version "not currently available";
        allow-recursion { trusted; };
        allow-notify { trusted; };
        allow-transfer { trusted; };
};

I have the same set up, but I don't have the 'directory "/var/named";' line.
Why did you add that? Did you run into trouble without it?