cPanel DNS Clustering -> Allowing axfr by default
Sadly, I found out the hard way...
cPanel DNS clusters allow axfr requests to all domains by default. Therefore every person on the internet can get a full list of records for my domain, even if I don't want them to.
How do I fix this ASAP?
I tried this on several other cPanel servers, they all do the same thing.
You can specify who can request zone modifications using the:
directive within your options section in /etc/named.conf. If you wanted to disable it for all hosts, you can add:Code:allow-transfer {};
cPanel's cluster system uses proprietary scripts to perform DNS syncs with master servers, so I don't believe you'll encounter any particular problems with disabling AXFR.Code:options { .... allow-transfer {none;}; };
Last edited by acenetryan; 04-09-2009 at 05:23 PM.
That may actually only disable the transfer requests. There is a ton of info on BIND directives here:
http://www.zytrax.com/books/dns/ch7/xfer.html
I know how to change it in bind.conf, however I'm concerned it will just get re-written when cPanel re-loads the zones.
Sounds good, we'll change it and pray for the best.
cPanel -- possible to add this as default?
We've had AXFR transfer requests disabled for some time in /etc/named.conf on our cluster and cPanel has yet to overwrite it. Unless you explicitly perform a rebuild of your named.conf, I don't believe cPanel will remove this option. If you have to rebuild your named.conf, just remember to add back in your options.
LinkBack URL
About LinkBacks
Reply With Quote