what should /etc/resolv.conf look like?

**spaceman** · 09-22-2005, 05:46 PM

Hi All,

Can someone tell me what a default or 'good' /etc/resolv.conf should look like?

I ask because we were observing lots of failures (timeouts) in exim_mainlog when our server was trying to connect and send mail to other mail servers. It was eventually tracked down to an incorrect config of resolv.conf (nameserver 127.0.0.1 was missing, no idea why).

So I'm assuming therefore that nameserver 127.0.0.1 in resolv.conf is essential? What else is essential or recommended?

Thanks.

**sh4ka** · 09-22-2005, 06:34 PM

Your resolv.conf file should look like :

nameserver [primary IP]
nameserver [secondary IP]
nameserver [or another DNS IP that you have]

And, never put 127.0.0.1 at this configuration, it is not recommended to put this into the file, i think it is a security issue.

Good luck

**spaceman** · 09-22-2005, 08:03 PM

Thanks for your comments.

I've been researching around this issue and...

Some say that having 127.0.0.1 in there is not a security risk IF in WHM > Tweak Settings you have this enabled:

"Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)"

Others say if you've got 'search yourdomain.com' in there then you don't need 127.0.0.1 in there as well.

So many opinions! :-)

**chirpy** · 09-23-2005, 04:08 AM

You should definitely not have 127.0.0.1 there as it is a security risk and there's simply no need as you can use the main IP address of the server if you have bind correctly setup and working. Adding the DNS resolvers that your NOC provides is also a good idea incase named falls over.

**astopy** · 09-23-2005, 04:25 AM

What would be the difference to security of using the server's main external IP instead of 127.0.0.1?

**chirpy** · 09-23-2005, 04:38 AM

Light reading can be found here (had to dig a bit to find it as it was discussed some time ago):
http://forums.cpanel.net/showthread.php?t=31081

**neonix** · 12-15-2005, 07:29 AM

Hi,

I was reading this article and just happened to check resolv.conf file. - My name servers have been commented and replaced with nameservers which are not of my datacenter.

cat resolv.conf
domain mydomain.com
search mydomain.com
#nameserver xx.xx.xx.xx
#nameserver xx.xx.xx.xx
nameserver zz.zz.aa.bb
nameserver zz.zz.e.f

/etc/nameserverips is fine
/etc/wwwacct.conf is fine

root@cat3 [/etc]#
-rw-r--r-- 1 root root 147 Jun 12 2005 resolv.conf

As per the above output; resolv.conf hasn't been modifed since Jun 12 2005 and I have not made these modifications. Strangely none of my sites have reported a problem till date.

/tmp is secure - no suspicious files, mod-security in place... bind version 9.2.4

What could be the reason for this modification in resolv.conf? Is this a known exploit ??

Thanks!

**HostMerit** · 12-15-2005, 08:16 AM

Might be cpanels default resolvers

Try:

nameserver 4.2.2.4
nameserver 4.2.2.2
nameserver 4.2.2.6
nameserver 4.2.2.7

Genuity's main DNS servers, my favorite, always resolve to a server near yours, and always seem to update the fastest.

Just my thoughts...

**neonix** · 12-15-2005, 09:51 AM

nameserver 151.164.1.8
nameserver 151.164.11.201

Those IPs belong to ns1.swbell.net and ns2.swbell.net.

This is the reply from my DC:
"Rkhunter was ran on the system which only noticed a few few update need to be preformed. You have likely been cross site scripted through an old or outdated version of PHP. Up date you scripts and you should also disable direct root login. Resume.doc and several others were found in the tmp directory. Refrain from using /tmp as a place to store files."

----

My direct root login is disabled and /tmp folder is also secure.

I need help to clear some queries about this situation:

1. The permissions on resolv.conf still show root as the owner. How was resolv.conf modified by a script?

2. How do I prevent /tmp as a place to store files.

3. Most importantly; how is that all my sites were working without a problem inspite of incorrect nameservers in resolv.conf.

4. What were the security implications due to the nameservers being modified in resolv.conf

5. I have now changed resolv.conf to show my ips' as the nameservers. Do I have to do anything now?

P.S. I have a RHEL/cPanel server.

**ThunderHostingDotCom** · 03-11-2006, 02:03 PM

Does our /etc/resolv.conf need the below entries? We only have the nameserver IPs in there now.

domain mydomain.com
search mydomain.com

**chirpy** · 03-12-2006, 03:26 AM

They aren't a requirement (they're only for non-FQDN lookups) and you should never have both in a resolv.conf anyway as they're mutually exclusive.

**ThunderHostingDotCom** · 03-12-2006, 10:25 AM

Ok so I now only have the below in it. Plus all of the NS1 nameservers

domain mydomain.com

**chirpy** · 03-12-2006, 10:38 AM

That's fine, but as I said - usually unnecessary.

**ThunderHostingDotCom** · 03-13-2006, 02:05 PM

Ok, what does yours look like?

**isputra** · 03-15-2006, 06:37 AM

Hi,

Is there anyway that resolv.conf will change by itself ?

Because today my resolv.conf change not pointed to my IP but to old IP.

Recently my DC move my IP server from old to new IP. And i already change this resolv to new IP but today change back to old IP.

just want to know about it... already search the forum but none discuss about this changing.

Forums

Thread: what should /etc/resolv.conf look like?

LinkBack

Thread Tools

what should /etc/resolv.conf look like?

resolv.conf

Similar Threads

resolv.conf

/etc/resolv.conf

/etc/resolv.conf what should be there

resolv.conf

resolv.conf again

cPanel & WHM

Enkompass

Help

Community

Company

Connect with Us