Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Securing DNS zones

Discussion in 'Bind / DNS / Nameserver Issues' started by AbeFroman, Oct 4, 2004.

Page 1 of 2
  1. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    318
    What is the best way to secure dns zones?

    If someone breaches access to one server they have access to all dns zones and can easily delete them all or point them somewhere else.

    Is it possible to protect them with:
    chattr +i /var/named/*

    Are there anyother ways to protect them?
     
    #1 AbeFroman, Oct 4, 2004
  2. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    166
    OMG DUDE, you claim to be a security expert and you ask all these stupid questions relating to simple security stuff.

    Besides if someone gains root access to your server, whats to stop them from chattr -i them? Nothing at all.
     
    #2 StevenC, Oct 5, 2004
    Last edited: Oct 5, 2004
  3. Sheldon

    Sheldon Well-Known Member

    Joined:
    Jun 7, 2004
    Messages:
    378
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Canada
    yeah chattr +i them.. yeah thats a good thing..

    then what happens to cpanel when it needs to edit or add new ones yeah.. good thing...

    NOT
     
    #3 Sheldon, Oct 5, 2004
  4. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    166
    It would be possible to make cpanel chattr -i them and chattr +i after work is done by modifying

    /usr/local/cpanel/whostmgr/bin/dnsadmin
     
    #4 StevenC, Oct 5, 2004
  5. Sheldon

    Sheldon Well-Known Member

    Joined:
    Jun 7, 2004
    Messages:
    378
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Canada
    oh well see I didnt know...
     
    #5 Sheldon, Oct 5, 2004
  6. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    318
    how many times do you need to change a sites ip?

    chattr would not prevent you form adding new ones.
     
    #6 AbeFroman, Oct 5, 2004
  7. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    318
    This defeats the purpose of chattr +i'ing them in the first place.

    DNS zones arent something that regularly changes.
     
    #7 AbeFroman, Oct 5, 2004
  8. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    318
    How could the chattr -i all files on my dns server remotely from one of my other servers? If you can do that you truely are THEE expert, you know more than any hacker and any linux expert in the world.
     
    #8 AbeFroman, Oct 6, 2004
  9. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    532
    Likes Received:
    0
    Trophy Points:
    166
    umm... he said root access on your server.. he didn't say anything about doing remotely, I don't know where you got that.

    I do find it odd that a supposed 'security expert' is asking basic security questions on forums.
     
    #9 dezignguy, Oct 6, 2004
  10. mr.wonderful

    mr.wonderful BANNED

    Joined:
    Feb 1, 2004
    Messages:
    345
    Likes Received:
    0
    Trophy Points:
    166
    Ye, thats a good one now isn't it?
     
    #10 mr.wonderful, Oct 6, 2004
  11. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    318
    Obviously my dns server (where the dns zones are that Im chattr -i'ing) is seperate machine.
     
    #11 AbeFroman, Oct 6, 2004
  12. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    318
    Appearently the wording of my question isnt obvious and has confused a couple "security experts" here.

    Let me rephase the first sentence for those "security experts" that are a little slow.
    If someone breaches access to one server, other than my primary DNS server and my secondary DNS server which only has a couple ports open and is so secure that Im not worried about someone hacking, they have access to all dns zones and can easily delete them all or point them somewhere else.
     
    #12 AbeFroman, Oct 6, 2004
  13. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    318
    I found it pretty funny, he seriously claims to know security???
     
    #13 AbeFroman, Oct 6, 2004
  14. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    318
    Obviously cpanel has overlooked this serious security issue, so if I'm securing holes that there entire staff, including there own top security expert, left open, I'd say I'm at the expert level. I have one way of doing it and want to know if there are any others or see if anyone else has ideas that the can contribute.
     
    #14 AbeFroman, Oct 6, 2004
  15. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    166
    Abeforman you are a complete idiot. I said what if they gain root access to your server. Lets say a exploit for sshd or bind is released. They exploit it and gain root access, they then can chattr -i them.

    my statement about this

    Which you are to thick to understand. WHen ever you add a new domain it will not be chattr +i, that will chattr +i them after they are added. It will also unchattr the domain if you need to change the ip and chattr +i it again once it is done modifying.

    You are the one faking being a security expert. Do i need to bring up the threads again where you were hacked and asking for help on how to cleanup/secure less then 1 month ago?
     
    #15 StevenC, Oct 6, 2004
  16. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    166

    They can change all the time. I make LOTS of changes for my clients.
     
    #16 StevenC, Oct 6, 2004
  17. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    532
    Likes Received:
    0
    Trophy Points:
    166
    No one, except you, is claiming to be a 'security expert' here.

    The question is why do they have access to all your dns zones from a remote server? Are you using cpanel dns clustering or some weird setup? I'm not really familiar with how that works so I can't knowledgably comment on that.

    But I use cpanel for dns management, no clustering, and I've locked down bind, and disabled recursion and zone transfers, and my dns info can't be changed remotely. Obviously, you have problems with your setup if what you say is true.
     
    #17 dezignguy, Oct 7, 2004
  18. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    318
    Yeah, this makes a lot of sense.
     
    #18 AbeFroman, Oct 7, 2004
    Last edited: Oct 7, 2004
  19. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    318
    Very unlikely, I seriously doubt that.

    I make changes for less than 0.01% and for those slim few I can manually log into the dns server, chattr -i then chattr +i
     
    #19 AbeFroman, Oct 7, 2004
  20. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    318
    Yes, I am using clustering, if your not using clustering your using trust keys which gives anyone complete root access to you dns server, hense the reason trust keys are depreciated. With clustering you can modify and dns zone on a stand alone dns server even if that zone is non the server you have access to.
     
    #20 AbeFroman, Oct 7, 2004
(You must log in or sign up to post here.)
Page 1 of 2
Loading...
Similar Threads - Securing zones
  1. lukapaunovic

    Securing server without CloudLinux question

    lukapaunovic, Aug 19, 2017, in forum: Security
    Replies:
    6
    Views:
    137
    cPanelMichael
    Aug 22, 2017
  2. jazee

    Securing WHM (and SSH)

    jazee, Jul 2, 2017, in forum: Security
    Replies:
    2
    Views:
    226
    cPanelMichael
    Jul 3, 2017
  3. Spork Schivago

    Help securing rpcbind

    Spork Schivago, Jun 14, 2017, in forum: Security
    Replies:
    4
    Views:
    242
    Spork Schivago
    Jun 14, 2017
  4. Travis Owens

    Securing Ports 2082 and 2086 (SSL)

    Travis Owens, Mar 30, 2017, in forum: Data Protection
    Replies:
    1
    Views:
    334
    cPanelMichael
    Mar 30, 2017
  5. Jay C. Burton

    SOLVED Securing mail on Hosting Accounts

    Jay C. Burton, Dec 20, 2016, in forum: Security
    Replies:
    1
    Views:
    261
    cPanelChrisI
    Dec 20, 2016

Share This Page