The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

possible secuirty problem

Discussion in 'General Discussion' started by silvernetuk, Feb 18, 2003.

  1. silvernetuk

    silvernetuk Well-Known Member

    Joined:
    Sep 2, 2002
    Messages:
    311
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    United Kingdom
    Hi,

    When in Windows Dos if I do a nslookup command then type server ns1.silverdns.com then type ls silvernetuk.net it list the following

    & ls silvernetuk.net
    [ns1.silverdns.com]
    silvernetuk.net. NS server = ns1.silverdns.com
    silvernetuk.net. NS server = ns2.silverdns.com
    silvernetuk.net. A 66.xxx.xx.2
    billing A 66.xxx.xx.2
    cp A 66.xxx.xx.2
    demosite A 66.xxx.xx.2
    forum A 66.xxx.xx.2
    forums A 66.xxx.xx.2
    ftp A 66.xxx.xx.2
    localhost A 127.0.0.1
    members A 66.xxx.xx.2
    olddesign A 66.xxx.xx.2
    support A 66.xxx.xx.2
    thesales A 66.xxx.xx.2
    &


    So I am doing the following commands to get this

    C:\nslookup
    Default Server: dns-loh-tb.proxy.aol.com
    Address: 195.93.33.134

    & server ns1.silverdns.com
    Default Server: ns1.silverdns.com
    Address: 66.xxx.xx.3

    & ls silvernetuk.net
    [ns1.silverdns.com]
    silvernetuk.net. NS server = ns1.silverdns.com
    silvernetuk.net. NS server = ns2.silverdns.com
    silvernetuk.net. A 66.xxx.xx.2
    billing A 66.xxx.xx.2
    cp A 66.xxx.xx.2
    demosite A 66.xxx.xx.2
    forum A 66.xxx.xx.2
    forums A 66.xxx.xx.2
    ftp A 66.xxx.xx.2
    localhost A 127.0.0.1
    members A 66.xxx.xx.2
    olddesign A 66.xxx.xx.2
    support A 66.xxx.xx.2
    thesales A 66.xxx.xx.2


    How do I stop this from listed the above, when doing the above nslookup command, as I have been told a lot of other host block this as you can see by the one I have done on yahoo


    C:\nslookup
    Default Server: dns-loh-tb.proxy.aol.com
    Address: 195.93.33.134

    & server ns5.yahoo.com
    Default Server: ns5.yahoo.com
    Address: 64.58.77.85

    & ls yahoo.com
    [ns5.yahoo.com]
    *** Can't list domain yahoo.com: Query refused

    How do I get mine to do that ?

    Regards,
    Garry
     
  2. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    In the named.conf between controls and zone add options.

    controls {
    inet 127.0.0.1 allow { localhost; } keys { "rndckey"; };

    };

    options {
    allow-transfer { none; };
    };


    zone "." {
    type hint;
    file "/var/named/named.ca";
    };



    Restart named.
     
  3. silvernetuk

    silvernetuk Well-Known Member

    Joined:
    Sep 2, 2002
    Messages:
    311
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    United Kingdom
    Hi David,

    Thank you for that :D

    Regards,
    Garry
     
  4. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Hi guys,

    I tried this, and it caused BIND to fail. Did I do something wrong?
    After removing the code, BIND works fine, but I'd really like this option...
    Can't have it both ways?
     
  5. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    Did you restart named after making change?
    Are you editing it with pico or vi?
    Editing /etc/named.conf?

    This shouldn't cause bind to fail at all. Check for typos and exact syntax. Aslo ensure that it is exactly where it is required and that no Zone info before it.
     
  6. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    I'm editing with pico.
    etc/named.conf

    However, all I did was restart bind. How do I restart named?

    Thanks,

    Casey
     
  7. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    Easiest in SSH
    cd /etc/init.d
    ./named restart
     
  8. ecoutez

    ecoutez Well-Known Member

    Joined:
    May 23, 2002
    Messages:
    152
    Likes Received:
    0
    Trophy Points:
    0
    If Bind (which IS named) fails to start, look at the tail of /var/log/messages and you'll find the reason. Most likely a syntax error like a missing or extra ;

    - Jason
     
  9. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    It says,

    Mar 11 20:08:21 server2 named[9250]: no longer listening on 162.42.211.135#53
    Mar 11 20:08:21 server2 named[9247]: exiting
    Mar 11 20:08:21 server2 named: named shutdown succeeded
    Mar 11 20:08:21 server2 named[9290]: starting BIND 9.2.1 -u named
    Mar 11 20:08:21 server2 named[9290]: using 1 CPU
    Mar 11 20:08:21 server2 named[9293]: loading configuration from '/etc/named.conf'
    Mar 11 20:08:21 server2 named[9293]: /etc/named.conf:28: 'options' redefined near 'options'
    Mar 11 20:08:21 server2 named[9293]: loading configuration: already exists
    Mar 11 20:08:21 server2 named[9293]: exiting (due to fatal error)
    Mar 11 20:08:21 server2 named: named startup failed


    I copied and pasted it inbetween the lines above just as David said to do.
     
    #9 casey, Mar 11, 2003
    Last edited: Mar 18, 2003
  10. Juanra

    Juanra Well-Known Member

    Joined:
    Sep 22, 2001
    Messages:
    777
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Spain
    That simply means that you've got two

    options {

    };

    blocks, but you must only have one.
     
  11. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Yahoo! That did it. Thanks Juanra, Jason, and David!
     
  12. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Sorry for digging up this old thread, but I was wondering the following
    if ns2 is on the same server as ns1, is it then necessary to add the ip address of ns2 to allow-transfer as well?

    Also I noticed some people put 127.0.0.1 in there, but that's not necessary is it?
     
  13. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
  14. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    I was looking at that one as well. I know it's probably not necessary but I've added 127.0.0.1, ns1, ns2 and the main ip just to be on the safe side :)

    What I have now is this :

    acl trusted {
    127.0.0.1;
    ns1 ip;
    ns2 ip;
    main ip;
    };

    options {
    version "currently unavailable";
    allow-recursion { trusted; };
    allow-notify { trusted; };
    allow-transfer { trusted; };
    };

    I was also looking at the allow-query command. Doesn't it make sense to only allow queries for domains that belong to your server (or network) instead of allowing queries for any domain? Or does allow-recursion already take care of this?
     
  15. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Yup. You don't want to block allow-query otherwise your domains won't resolve, the allow-recursion stops outsiders using your server for DNS resolution of zones not on your server, which could cause more issues than the primary issue of allowing full zone transfers.
     
Loading...

Share This Page