Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED Enable DNS zone transfers?

Discussion in 'Bind / DNS / Nameserver Issues' started by Spork Schivago, Dec 8, 2016.

  1. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Hello,

    I started looking through /var/log/secure* and found some worrying stuff, like this:
    Code:
    Dec  3 22:24:09 franklin pdns[4717]: AXFR of domain 'mydomain.com' initiated by 65.19.178.10
    Dec  3 22:24:09 franklin pdns[4717]: AXFR of domain 'mydomain.com' failed: 65.19.178.10 cannot request AXFR
    
    What is that AXFR thing? Did someone try hijacking my domain name? What do I do? If that is a transfer attempt, why were they able to try and initiate one, even if it failed?

    Also, Horde shows me an IP address from the last person to log into the account. Is there a log file where all these IP addresses for the successful logins are stored for Horde?

    Thank you.
     
  2. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    After I stopped freaking out real bad, I googled what AXFR is, and my understanding, it's a good thing and supposed to be happening. AXFR is a mechanism for replicating DNS data across DNS servers. If I change something on my DNS server, maybe create a new A record, the AXFR is what updates all the other DNS servers, so they can see the A record. Is that correct?

    I searched the log files and there are a bunch of IP addresses and failed messages with the AXFR thing. Maybe this topic shouldn't be in the security sub-forums but the DNS sub-forum.

    I think, from my reading, what I want to do is enable DNS zone transfers (the AXFR thing). I'm pretty sure my DNS server is a slave and it communicates with Linode's master DNS server. I still don't got all the DNS stuff down, so please correct me if I'm wrong.

    I want to enable AXFRs but I only want to tell my slave to communicate with Linode's master, so someone couldn't grab my zone data. Also, I think I want to sign the transfers. Hrmm, I wonder how I go about doing this.
     
    #2 Spork Schivago, Dec 8, 2016
    Last edited: Dec 8, 2016
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you verify which name server is installed on the system (e.g. Bind, PowerDNS)?

    Thanks!
     
  4. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Yup. It's PowerDNS. I also have that DNSSEC configured (hopefully, properly!).
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    AXFR is disabled by default in the PowerDNS configuration file:

    Code:
    # grep disable-axfr=yes /etc/pdns/pdns.conf
    disable-axfr=yes
    
    You can test this by logging in via SSH as an individual cPanel user, and then attempting to query the nameserver for a domain that is not owned by that cPanel user:

    Code:
    dig @127.0.0.1 cptest01.com AXFR
    The command should end with:

    Code:
    ;; global options: +cmd
    ; Transfer failed.
    Note that we did update the pdns package to address an issue where this action was permitted for users with local connections when cPanel 60 was still in a development build:

    Fixed case CPANEL-8843: Update pdns to 3.4.9-5.cp1160.

    As far as enabling zone transfers, are you currently experiencing issues with your DNS configuration as it stands?

    Thank you.
     
    Spork Schivago likes this.
  6. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    The only issues I have are a decent number of transfers failed messages in the log, but I don't think this is an error. I think maybe if I understood things a bit better, it'd help. It seems people can figure out my network topology using these domain transfers, which would be a bad thing. But if that's bad, why do we have them in the first place? What's the benefits to having them enabled? I can't really find a lot of information on that.

    DNS works with AXFR disabled. So what exactly does AXFR allow the DNS server to do that it currently cannot do? I was thinking I could secure the transfers somehow. Signing them and maybe only allowing transfers to Linode's master server or whatever it's called. My understanding is domain transfers (AXFR) allows my DNS server's database (the zone) to be synchronized with other DNS servers. If this is the case, it'd be a good thing to have them enabled, at least for Linode's master server, right?

    If that's what DNS zone transfers are, I guess I don't understand why when I edit my zone and add a new record, it eventually propagates to the rest of the DNS servers on the internet. Isn't that AXFR does? With AXFR disabled, how do the other DNS servers know about my zone?
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    I believe you simply need more information to help understand the difference between a DNS query and a zone transfer. The top answer on the following StackOverflow thread is good answer to help understand the difference:

    How can I list ALL DNS records?

    You may also find these URLs helpful:

    Is there a way to get the complete zone file for a domain without contacting its host?
    DNS zone transfer attack
    How to test for zone transfer?

    The Wikipedia page on zone transfers may also help:

    DNS zone transfer - Wikipedia

    Yes, the transfer of DNS records from your cPanel server to the Linode DNS servers is done through AXFR queries. Their instructions require you to allow their specific IP addresses permission to make those queries. The process may have been completed for you on their behalf, but if not, they offer information about what happens at:

    Set Up DNS Services on cPanel

    Thank you.
     
    Spork Schivago likes this.
  8. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    You're definitely right cPanelMichael. I gotta read up on this DNS stuff and learn it a lot better. I don't know much about it at all. Thanks for the links. When I get some time, I'll read through all of them.

    Thanks!
     
    cPanelMichael likes this.
Loading...

Share This Page