The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Securing DNS zones

Discussion in 'Bind / DNS / Nameserver Issues' started by AbeFroman, Oct 4, 2004.

  1. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    What is the best way to secure dns zones?

    If someone breaches access to one server they have access to all dns zones and can easily delete them all or point them somewhere else.

    Is it possible to protect them with:
    chattr +i /var/named/*

    Are there anyother ways to protect them?
     
  2. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    OMG DUDE, you claim to be a security expert and you ask all these stupid questions relating to simple security stuff.

    Besides if someone gains root access to your server, whats to stop them from chattr -i them? Nothing at all.
     
    #2 StevenC, Oct 5, 2004
    Last edited: Oct 5, 2004
  3. Sheldon

    Sheldon Well-Known Member

    Joined:
    Jun 7, 2004
    Messages:
    378
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    yeah chattr +i them.. yeah thats a good thing..

    then what happens to cpanel when it needs to edit or add new ones yeah.. good thing...

    NOT
     
  4. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    It would be possible to make cpanel chattr -i them and chattr +i after work is done by modifying

    /usr/local/cpanel/whostmgr/bin/dnsadmin
     
  5. Sheldon

    Sheldon Well-Known Member

    Joined:
    Jun 7, 2004
    Messages:
    378
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    oh well see I didnt know...
     
  6. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    how many times do you need to change a sites ip?

    chattr would not prevent you form adding new ones.
     
  7. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    This defeats the purpose of chattr +i'ing them in the first place.

    DNS zones arent something that regularly changes.
     
  8. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    How could the chattr -i all files on my dns server remotely from one of my other servers? If you can do that you truely are THEE expert, you know more than any hacker and any linux expert in the world.
     
  9. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    umm... he said root access on your server.. he didn't say anything about doing remotely, I don't know where you got that.

    I do find it odd that a supposed 'security expert' is asking basic security questions on forums.
     
  10. mr.wonderful

    mr.wonderful BANNED

    Joined:
    Feb 1, 2004
    Messages:
    345
    Likes Received:
    0
    Trophy Points:
    0
    Ye, thats a good one now isn't it?
     
  11. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    Obviously my dns server (where the dns zones are that Im chattr -i'ing) is seperate machine.
     
  12. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    Appearently the wording of my question isnt obvious and has confused a couple "security experts" here.

    Let me rephase the first sentence for those "security experts" that are a little slow.
    If someone breaches access to one server, other than my primary DNS server and my secondary DNS server which only has a couple ports open and is so secure that Im not worried about someone hacking, they have access to all dns zones and can easily delete them all or point them somewhere else.
     
  13. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    I found it pretty funny, he seriously claims to know security???
     
  14. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    Obviously cpanel has overlooked this serious security issue, so if I'm securing holes that there entire staff, including there own top security expert, left open, I'd say I'm at the expert level. I have one way of doing it and want to know if there are any others or see if anyone else has ideas that the can contribute.
     
  15. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    Abeforman you are a complete idiot. I said what if they gain root access to your server. Lets say a exploit for sshd or bind is released. They exploit it and gain root access, they then can chattr -i them.

    my statement about this

    Which you are to thick to understand. WHen ever you add a new domain it will not be chattr +i, that will chattr +i them after they are added. It will also unchattr the domain if you need to change the ip and chattr +i it again once it is done modifying.

    You are the one faking being a security expert. Do i need to bring up the threads again where you were hacked and asking for help on how to cleanup/secure less then 1 month ago?
     
  16. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16

    They can change all the time. I make LOTS of changes for my clients.
     
  17. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    No one, except you, is claiming to be a 'security expert' here.

    The question is why do they have access to all your dns zones from a remote server? Are you using cpanel dns clustering or some weird setup? I'm not really familiar with how that works so I can't knowledgably comment on that.

    But I use cpanel for dns management, no clustering, and I've locked down bind, and disabled recursion and zone transfers, and my dns info can't be changed remotely. Obviously, you have problems with your setup if what you say is true.
     
  18. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    Yeah, this makes a lot of sense.
     
    #18 AbeFroman, Oct 7, 2004
    Last edited: Oct 7, 2004
  19. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    Very unlikely, I seriously doubt that.

    I make changes for less than 0.01% and for those slim few I can manually log into the dns server, chattr -i then chattr +i
     
  20. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    Yes, I am using clustering, if your not using clustering your using trust keys which gives anyone complete root access to you dns server, hense the reason trust keys are depreciated. With clustering you can modify and dns zone on a stand alone dns server even if that zone is non the server you have access to.
     
Loading...

Share This Page