security problem: cpanel allows DNS zonetransfers for everyone!

[cyberspirit]

I just found out that the way cpanel sets up and handles DNS is that it allows zonetransfers for all zones for everyone!
There is a concept of security through obscurity and it is quiet dangerous to allow zonetransfers just to everyone.
With a whole zonefile a hacker pretty much has a map of what you have and often host names like testing or beta give away clues to people who want to break in.
The standard should be to allow zonetransfers only to authorized ips, mostly secondary DNS servers.
On another note the cpanel DNS server can be used for queries by pretty much anyone which adds load to the server if more and more people use it.
The correct way should be to not offer recursive answers to the outside world and only allow recursive behaviour the own host.
I will post tonight a changed named.conf file for everyone to use to close this hole!

cPanel.net Support Ticket Number:

 

[mjm2]

thanks cyber.

when making updates will WHM overwrite the change named.conf file?

cPanel.net Support Ticket Number:

 

[dgbaker]

The quickest and easiest way to block this is to do the following;

edit /etc/named.conf

add the following just before logging

options {
directory "/var/named/";
version "Not telling you";
allow-transfer { IP's that are allowed (slaves/master); };
};

save it and restart named.

Also cPanel will NOT overwrite this change.

To test, run nslookup from your desktop
C:\>nslookup
Default Server: nsctor1.bellnexxia.net
Address: 209.226.175.223

>

type
> ls domain.com

You should get something like the following;

> ls virtual-hosting.ca
[nsctor1.bellnexxia.net]
*** Can't list domain virtual-hosting.ca: Query refused

 

[xsenses]

I get the query refused of my server and have not changed the named.conf?

 

[cyberspirit]

Ok,
Here is the promised solution:

created a directory /var/log/named and chgrp and chown it to named

Then edit the /etc/named.conf file like this:

right after the controls statements add an acl statement like this:

controls {
inet 127.0.0.1 allow { localhost; } keys { "rndckey"; };
};

acl "trusted" {
1.2.3.4; 2.3.4.5; 3.4.5.6; 4.5.6.7; 127.0.0.1;
};

In the acl statement the ip addresses stand for trusted addresses like your nameserver ips or any additional ips that need to have permission for zonetransfers and recursive answers. This could be for example your client ip for testing.

Then go further down into the options statement and add this in a line right after the query-source address line so it looks like this:


// query-source address * port 53;
version "not currently available";
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };
};


logging {
channel "mylog" {
file "/var/log/named/namedlog.log" versions 10 size 1M;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
category default {
"mylog";
};
category general {
"mylog";
};
};



Then go into WHM and restart bind. Watch for the message in WHM that says restart bind ok. If it does not start fine go into /var/log/messages and it will tell you which line in named.conf has a problem.

 

[Website Rob]

Then go further down into the options statement...

I was good up to that point. My named.conf file does not have the entries mentioned; version, logging, etc.

Are we in another file now or doing some customization?

 

[cyberspirit]

Website Rob,
Your named.conf file should have at least an options statement. The logging statement and all the other stuff you have to add manually if you do not have it - that was the purpose of the thread. ;-)

 

[Website Rob]

Having come across the Scam being run by "whois.sc", this thread has taken on a higher level of importance with me. So to make sure I'm editting correctly -- it's so stressful make these types of changes on a production Server -- let's see if I having the following correct.

After creating a directory "/var/log/named" and chgrp and chown it to named, the "/etc/named.conf" file is editted thusly:


controls {
inet 127.0.0.1 allow { localhost; } keys { "rndckey"; };
};


acl "trusted" {
1.2.3.4; 2.3.4.5; 3.4.5.6; 4.5.6.7; 127.0.0.1;
};


options {
directory "/var/named/";
version "Not telling you";
allow-transfer { IP's that are allowed (slaves/master);

// query-source address * port 53;
version "not currently available";
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };
};


logging {

channel "mylog" {
file "/var/log/named/namedlog.log" versions 10 size 1M;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};

category default {
"mylog";
};

category general {
"mylog";
};

};


zone "." {
type hint;
file "/var/named/named.ca";
};

Rest of "zone" entries.


Is that correct?

 

[cyberspirit]

looks good to me. restart bind and check /var/log/messages for any errors in the named.conf file detected during bind startup.

 

[tAzMaNiAc]

So basically whois.sc is abusing this loophole? Sheesh.

 

[Website Rob]

Ok, that was sort of exciting -- what with the errors and all. Results of error log showed the following:

One problem I fixed:
allow-transfer { IP's that are allowed (slaves/master); << that was a trick entry, right?

One problem I think I know how to fix:
acl "trusted" << this requires all IPs registered to the Server - yes/no?

Remaining problems:
unknown option 'logging' << no idea what's on with this.
-and-
unknown option 'zone' << I think this is related though, to the syntax error mentioned above.

So, has anyone successfully initiated this code and willing to share their experience?

 

[ee99ee]

Originally posted by Website Rob
Having come across the Scam being run by "whois.sc", this thread has taken on a higher level of importance with me. So to make sure I'm editting correctly -- it's so stressful make these types of changes on a production Server -- let's see if I having the following correct.

After creating a directory "/var/log/named" and chgrp and chown it to named, the "/etc/named.conf" file is editted thusly:


controls {
inet 127.0.0.1 allow { localhost; } keys { "rndckey"; };
};


acl "trusted" {
1.2.3.4; 2.3.4.5; 3.4.5.6; 4.5.6.7; 127.0.0.1;
};


options {
directory "/var/named/";
version "Not telling you";
allow-transfer { IP's that are allowed (slaves/master);

// query-source address * port 53;
version "not currently available";
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };
};


logging {

channel "mylog" {
file "/var/log/named/namedlog.log" versions 10 size 1M;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};

category default {
"mylog";
};

category general {
"mylog";
};

};


zone "." {
type hint;
file "/var/named/named.ca";
};

Rest of "zone" entries.


Is that correct?

How does that stop whois.sc?

-ee99ee

 

[rpmws]

How does that stop whois.sc?

-ee99ee

It doesn't. this thread should be followed regardless. Whois.sc uses regular lookups to then databases them and then uses cross queries on their own system to display results of how many sites on on a IP. I may be wrong but I ***think*** this is how they do it. If it's not the way they do it then I know that they **could** do it this way if they wanted.

All they have to do is do lookups for IPs for everydomain name, store the results in a database and then allow quries for a domain or IP. That IP is then found in x# of other records. Then they tell you (321) other sites ..bla bla bla

 

[jeffheld]

lame server

find out if your dns server is fuc*i* lame.
dnstuff.com

http://www.dnsstuff.com/tools/lookup.ch?name=cpanel.net&type=ALL

should like the above. also...

http://www.dnsreport.com/tools/dnsreport.ch?domain=cpanel.net

will give you more info and let you know what needs to be setup correctly. otherwise.. hand over your ip :P

 

[chirpy]

Well, logging separately isn't really necessary, but if you want it, the chown command is:

chown -R named:named /var/log/named

If you do a chown that way, there's no need for a chgrp.

 

[mahdionline]

The quickest and easiest way to block this is to do the following;

edit /etc/named.conf

add the following just before logging

options {
directory "/var/named/";
version "Not telling you";
allow-transfer { IP's that are allowed (slaves/master); };
};

save it and restart named.

Also cPanel will NOT overwrite this change.

To test, run nslookup from your desktop
C:\>nslookup
Default Server: nsctor1.bellnexxia.net
Address: 209.226.175.223

>

type
> ls domain.com

You should get something like the following;

> ls virtual-hosting.ca
[nsctor1.bellnexxia.net]
*** Can't list domain virtual-hosting.ca: Query refused

i do this instruction but in nslookup.exe , it show me list of names ! what's th eproblem.

regard

 

[jsteel]

find out if your dns server is fuc*i* lame.
dnstuff.com

http://www.dnsstuff.com/tools/lookup.ch?name=cpanel.net&type=ALL

should like the above. also...

http://www.dnsreport.com/tools/dnsreport.ch?domain=cpanel.net

will give you more info and let you know what needs to be setup correctly. otherwise.. hand over your ip :P

Dont' trust everything at dnsreport.com. They will red flag things that are still permissible by the DNS RFC (such as stealth nameservers). It unfortunately can give people a false sense that something is wrong, when in fact there is nothing wrong.

 

[icanectc]

This is what I get:

Oct 20 10:31:50 *** named[******]: /etc/named.conf:21: missing ';' before '(slaves'
Oct 20 10:31:50 *** named[******]: /etc/named.conf:21: missing ';' before '/'
Oct 20 10:31:50 *** named[******]: /etc/named.conf:21: expected IP match list element near '/'

LINE 21 is : allow-transfer { IP's that are allowed (slaves/master);

 

[chirpy]

This is what I get:

Oct 20 10:31:50 *** named[******]: /etc/named.conf:21: missing ';' before '(slaves'
Oct 20 10:31:50 *** named[******]: /etc/named.conf:21: missing ';' before '/'
Oct 20 10:31:50 *** named[******]: /etc/named.conf:21: expected IP match list element near '/'

LINE 21 is : allow-transfer { IP's that are allowed (slaves/master);

Well, it should read:

allow-transfer { IP's that are allowed (slaves/master); };

Note the number of semi-colons. So, if you want to allow transfer requests from 11.22.33.44 and 44.33.22.11, then that line would look like this:

allow-transfer { 11.22.33.44; 44.33.22.11; };

 

[icanectc]

Its the last } I did not add. It's working now thanks!