The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PCI scan. Dnssec-aware Resolver

Discussion in 'Bind / DNS / Nameserver Issues' started by Legin76, Jul 23, 2009.

  1. Legin76

    Legin76 Well-Known Member

    Joined:
    Dec 11, 2007
    Messages:
    151
    Likes Received:
    1
    Trophy Points:
    18
    I've trying to make a site meet PCI standards but am stuck on how to work around the Dnssec-aware Resolver issue. Which to me isn't really a risk.

    The report shows the following but I cant find any references to work around or fix it. Even on the Dnssec forum there is nothing about this.

    Has anyone found a way to deal with this?

    Dnssec-aware Resolver 53/udp DNS

    Description
    The remote DNS resolver accepts DNSSEC options. This means that it may verify the authenticity of DNSSEC protected zones if it is
    configured to trust their keys.

    CVSS Score
    4.3

    CVSS Fingerprint
    AV:N/AC:M/Au:N/C:P/I:N/A:N

    Solution
    This is inherent to the DNSSEC specification. Firewall egress filtering rules may be applied to limit such information disclosure.

    Details
    None


    Server
    cPanel 11.24.4-S36281 - WHM 11.24.2 - X 3.9
    REDHAT Enterprise 5.3 i686 standard on server
     
  2. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Though the capability exists in both NSD and BIND to support DNSSEC, at this time, cPanel/WHM does not natively support DNSSEC. However, we are looking into supporting DNSSEC. (Cases 21610, 4386)
     
  3. Legin76

    Legin76 Well-Known Member

    Joined:
    Dec 11, 2007
    Messages:
    151
    Likes Received:
    1
    Trophy Points:
    18
    I'm not sure it means that support needs to be added.

    I think its saying that some functionality is already there, thats its a potential risk and that it needs to be disabled or removed.
     
  4. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    I recommend you ask ask for clarification from the PCI Compliance Vendor you used.
     
  5. Legin76

    Legin76 Well-Known Member

    Joined:
    Dec 11, 2007
    Messages:
    151
    Likes Received:
    1
    Trophy Points:
    18
    I've done this and their answer was

     
  6. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    try running chkconfig --list and let me know if you see anything there that would enable DNSSEC on your server.
     
  7. tesla_v

    tesla_v Registered

    Joined:
    Jul 24, 2009
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Same problem with my site using hackersafe

    Just wondering how to fix this, I was unable to find where any settings are for this.

    Name Dnssec-aware Resolver
    Category Other - DNS Severity Low High In PCI
    Impact Other Fix Difficulty Medium
    CVSS v2 Fingerprint AV:N/AC:M/Au:N/C:P/I:N/A:N CVSS Score 4.3 Detail
    Found On Resolve


    Description
    The remote DNS resolver accepts DNSSEC options. This means that it may verify the authenticity of DNSSEC protected zones if it is configured to trust their keys.


    General Solution
    This is inherent to the DNSSEC specification. Firewall egress filtering rules may be applied to limit such information disclosure.
     
  8. Legin76

    Legin76 Well-Known Member

    Joined:
    Dec 11, 2007
    Messages:
    151
    Likes Received:
    1
    Trophy Points:
    18
    There is nothing that looks it to me. See the attached file
     

    Attached Files:

  9. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Please submit a support ticket for this issue so we can determine how DNSSEC was enabled on your system, so we can determine how to disable it: http://tickets.cPanel.net/submit
     
  10. bigonese

    bigonese Member

    Joined:
    Jul 28, 2009
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Grand Rapids
    please fill me in

    I am having the same issue come up when doing PCI compliance scans. I've tried disabling DNSSEC in the BIND config file (named.conf) with no luck. It seems something is enabling it on my server, too.

    If you come across a solution to this issue, please post!!!
     
  11. Legin76

    Legin76 Well-Known Member

    Joined:
    Dec 11, 2007
    Messages:
    151
    Likes Received:
    1
    Trophy Points:
    18
    After Cpanel could not find anything mcAfee advised me to mark it as a False Positive but I'm not convinced its completely disabled.
     

Share This Page