Spork Schivago

Well-Known Member
Jan 21, 2016
597
66
28
corning, ny
cPanel Access Level
Root Administrator
Hello,

I started looking through /var/log/secure* and found some worrying stuff, like this:
Code:
Dec  3 22:24:09 franklin pdns[4717]: AXFR of domain 'mydomain.com' initiated by 65.19.178.10
Dec  3 22:24:09 franklin pdns[4717]: AXFR of domain 'mydomain.com' failed: 65.19.178.10 cannot request AXFR
What is that AXFR thing? Did someone try hijacking my domain name? What do I do? If that is a transfer attempt, why were they able to try and initiate one, even if it failed?

Also, Horde shows me an IP address from the last person to log into the account. Is there a log file where all these IP addresses for the successful logins are stored for Horde?

Thank you.
 

Spork Schivago

Well-Known Member
Jan 21, 2016
597
66
28
corning, ny
cPanel Access Level
Root Administrator
After I stopped freaking out real bad, I googled what AXFR is, and my understanding, it's a good thing and supposed to be happening. AXFR is a mechanism for replicating DNS data across DNS servers. If I change something on my DNS server, maybe create a new A record, the AXFR is what updates all the other DNS servers, so they can see the A record. Is that correct?

I searched the log files and there are a bunch of IP addresses and failed messages with the AXFR thing. Maybe this topic shouldn't be in the security sub-forums but the DNS sub-forum.

I think, from my reading, what I want to do is enable DNS zone transfers (the AXFR thing). I'm pretty sure my DNS server is a slave and it communicates with Linode's master DNS server. I still don't got all the DNS stuff down, so please correct me if I'm wrong.

I want to enable AXFRs but I only want to tell my slave to communicate with Linode's master, so someone couldn't grab my zone data. Also, I think I want to sign the transfers. Hrmm, I wonder how I go about doing this.
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Hello,

Could you verify which name server is installed on the system (e.g. Bind, PowerDNS)?

Thanks!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Hello,

AXFR is disabled by default in the PowerDNS configuration file:

Code:
# grep disable-axfr=yes /etc/pdns/pdns.conf
disable-axfr=yes
You can test this by logging in via SSH as an individual cPanel user, and then attempting to query the nameserver for a domain that is not owned by that cPanel user:

Code:
dig @127.0.0.1 cptest01.com AXFR
The command should end with:

Code:
;; global options: +cmd
; Transfer failed.
Note that we did update the pdns package to address an issue where this action was permitted for users with local connections when cPanel 60 was still in a development build:

Fixed case CPANEL-8843: Update pdns to 3.4.9-5.cp1160.

As far as enabling zone transfers, are you currently experiencing issues with your DNS configuration as it stands?

Thank you.
 
  • Like
Reactions: Spork Schivago

Spork Schivago

Well-Known Member
Jan 21, 2016
597
66
28
corning, ny
cPanel Access Level
Root Administrator
The only issues I have are a decent number of transfers failed messages in the log, but I don't think this is an error. I think maybe if I understood things a bit better, it'd help. It seems people can figure out my network topology using these domain transfers, which would be a bad thing. But if that's bad, why do we have them in the first place? What's the benefits to having them enabled? I can't really find a lot of information on that.

DNS works with AXFR disabled. So what exactly does AXFR allow the DNS server to do that it currently cannot do? I was thinking I could secure the transfers somehow. Signing them and maybe only allowing transfers to Linode's master server or whatever it's called. My understanding is domain transfers (AXFR) allows my DNS server's database (the zone) to be synchronized with other DNS servers. If this is the case, it'd be a good thing to have them enabled, at least for Linode's master server, right?

If that's what DNS zone transfers are, I guess I don't understand why when I edit my zone and add a new record, it eventually propagates to the rest of the DNS servers on the internet. Isn't that AXFR does? With AXFR disabled, how do the other DNS servers know about my zone?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Hello,

I believe you simply need more information to help understand the difference between a DNS query and a zone transfer. The top answer on the following StackOverflow thread is good answer to help understand the difference:

How can I list ALL DNS records?

You may also find these URLs helpful:

Is there a way to get the complete zone file for a domain without contacting its host?
DNS zone transfer attack
How to test for zone transfer?

The Wikipedia page on zone transfers may also help:

DNS zone transfer - Wikipedia

My understanding is domain transfers (AXFR) allows my DNS server's database (the zone) to be synchronized with other DNS servers. If this is the case, it'd be a good thing to have them enabled, at least for Linode's master server, right?
Yes, the transfer of DNS records from your cPanel server to the Linode DNS servers is done through AXFR queries. Their instructions require you to allow their specific IP addresses permission to make those queries. The process may have been completed for you on their behalf, but if not, they offer information about what happens at:

Set Up DNS Services on cPanel

Thank you.
 
  • Like
Reactions: Spork Schivago