The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

refuse DNS queries from all except authorized hosts/networks for BIND (PCI CVE-2006-0987)

Discussion in 'Security' started by sleepin4ever, Sep 6, 2014.

  1. sleepin4ever

    sleepin4ever Registered

    Sep 6, 2014
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Website Owner
    Our PCI scanner caught a CVE for DNS querying. The problem is "It is possible to send a query for the root zone (.) to the DNS server, and get an answer that is much larger than the query (often more than 20 times in size). An attacker could spoof the source IP address of the query, causing the DNS server to respond to the source IP with the larger answer. An attacker could focus these answers on a single target, resulting in a Denial of Service for that IP. ..."

    The solution is " First, if the DNS server allows for recursive queries, then the server should be configured to refuse queries from all except authorized hosts/networks. If the DNS server is non-recursive, then it should only answer queries for zones that it is authoritative. BIND 9.3 and later can accomplish this by adding an 'allow-query' statement to the global config that restricts queries to only trusted networks, and then adding 'allow-query {any;}' to authoritative zone configurations. "

    I went into the BIND config file but it clear states that any edits will be overwritten by WHM/cPanel when it is upgraded.

    How can I achieve this through WHM?

  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Apr 11, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Hello :)

    CVE-2006-0987 was addressed in cPanel version 11.44 with internal case number 94901:

    Fixed case 94901: Updated options in named.conf template.

    This ensures the configuration neither allows recursive queries, nor provides additional delegation information to arbitrary IP addresses (external view). However, please ensure you rebuild the /etc/named.conf file from scratch to utilize the updated template:

    mv /etc/named.conf /etc/named.conf.backup1
    Thank you.

Share This Page