security problem: cpanel allows DNS zonetransfers for everyone!

Status
Not open for further replies.

gonzov

Member
Jun 19, 2004
7
0
151
help me with my server I have problems with dns zones

I have prorbles with my dns zones all domains go to a main ip address , I delete account in whm and create again but not work
what is the problem ?
 

gonzov

Member
Jun 19, 2004
7
0
151
alguien que hable español para que me ayude con los dns zones ke no sirven!!!

alguien que hable español para que me ayude con los dns zones ke no sirven en mi servidor dedicado
tengo problemas con el dns zone no se como editarlo y arreglarlo.
 

mahdionline

Well-Known Member
Oct 18, 2003
127
0
166
I do the instruction ,but now when i go to nslookup.exe and type
> is adomainname.com

it show me a list of names and not show your written message.
what's the problem ?

regrad
 

mahdionline

Well-Known Member
Oct 18, 2003
127
0
166
I do the instruction but now when i go to nslookup.exe and type

> is adomainame.com

is show me a list of names !

What's the problem ?

Regard
 

ispro

Well-Known Member
Verifed Vendor
Apr 8, 2004
628
2
168
Here is what we are using at the moment. Add this after controls. Make sure that you have no more options as it is will cause bind/named to fail.
Code:
acl "slaves" {
        127.0.0.1; localhost;
};

acl "masters" {
        127.0.0.1; localhost;
};

acl "trusted" {
        127.0.0.1; localhost;
};

logging {
	category lame-servers { null; };
};

options {
	statistics-file "/var/run/named/named.stats";
        allow-transfer { slaves; masters; trusted; };
        allow-recursion { trusted; };
        allow-notify { masters; };
};
There slaves are the Slave DNS servers, masters are the Master DNS servers and trusted are the server you trust and allow to do recursive lookups and request the DNS zones in full. Usually save to keep by default.

This will also generate the statistics file to the "/var/run/named/named.stats" (not forget to execute "/usr/sbin/ndc stats" prior!)
It could be used by MRTG for example.

P.S. I'm not sure if the allow-notify should include masters only. It is supposed to add there hosts which may force zone update, isn't it? So they should be the Master DNS servers only? Anyone who using DNS clusters to clear this up?
 
Last edited:

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,441
31
473
Go on, have a guess
Probably overkill using so many ACL's. This is what I use, which will achieve the same thing:

Code:
acl "trusted" {
        11.22.33.44;
        44.33.22.11;
        66.55.44.33;
        127.0.0.1;
};

options {
        directory "/var/named";
        version "not currently available";
        allow-recursion { trusted; };
        allow-notify { trusted; };
        allow-transfer { trusted; };
};
Where the IP addresses all the other participants in your DNS cluster, including the server you are on, which makes it nice and easy to duplicate for all your servers.
 
Last edited:

ispro

Well-Known Member
Verifed Vendor
Apr 8, 2004
628
2
168
Your setup is has sense also.

We just would like to tune each setting using "security through obscurity" method where everything shoulb be blocked, and then necessary things allowed only.

Do you have any valid information that using several ACLs in named.conf may slow down it?
I heard nothing about that.
 

jamesbond

Well-Known Member
Oct 9, 2002
738
1
168
chirpy said:
Code:
acl "trusted" {
        11.22.33.44;
        44.33.22.11;
        66.55.44.33;
};

options {
        directory "/var/named";
        version "not currently available";
        allow-recursion { trusted; };
        allow-notify { trusted; };
        allow-transfer { trusted; };
};
I have the same set up, but I don't have the 'directory "/var/named";' line.
Why did you add that? Did you run into trouble without it?
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,441
31
473
Go on, have a guess
You don't need to have that line in there since /var/named is the default. I just like to have it to be sure that I know it's looking where it should - it's just an old habit.
 

CoolMike

Well-Known Member
Sep 6, 2001
312
0
316
Hi

Can I also do the following to add all the IP's of my range?

acl "trusted" {
234.a.b.c/24;
};

options {
directory "/var/named";
version "not currently available";
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };
};
Michael
 

jackie46

BANNED
Jul 25, 2005
536
0
166
When i set this up my firewall is now complaining.

Mar 5 14:00:16 srv07 named[20657]: client 111.111.111.111#52479: error sending response: host unreachable
Mar 5 14:00:16 srv07 kernel: ** OUT_UDP DROP ** IN= OUT=eth0 SRC=111.111.111.111 DST=222.222.222.222 LEN=77 TOS=0x00 PREC=0x00 TTL=64 ID=647 DF PROTO=UDP SPT=53 DPT=52479 LEN=57

Im not sure why its complaing. We have inbound outbound tcp/udp enabled on all firewalls on port 53.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,441
31
473
Go on, have a guess

kemis

Well-Known Member
Feb 17, 2005
104
0
166
Georgetown, TX
I'm sorry to keep such an old post alive, but there's something important here that doesn't appear to have been addressed yet. Let me explain...

A few weeks ago, I began using the "trusted" acl for allow-recursion, but I noticed that it didn't really stop the attacks (yes, it was implemented correctly). It wasn't until today, though, that I began looking into the issue more.

To keep a long story short, I found the following article on DynDNS that explains how to use views to separate what is allowed recursion and what is not:

"It's important to use views..., though - if you just use allow-recursion { recursive_clients; }; in a single view, you will still provide answers to other clients out of your cache, which is almost as bad as being wide open."

You can read the whole article, including a sample setup at:
http://www.dyndns.com/about/company/notify/archives/the_dangers_of_open_recursive_dns.html

My main worry is that the "views" solution will simply not be compatible with cPanel, since it involves modifying how the zones themselves are handled.

Does anyone have any comments regarding this "new" information? Why hasn't this been brought up before? Am I really the only one who continues to see "lame server resolving" errors in my messages despite following the solution previously outlined in this thread?

-- Matt

P.S. -- For now, I have begun using the blackhole option along with an "untrusted" acl to help cut down the number of immediate attacks. This is not a good solution, though, since I can't honestly keep adding IP after IP to this list.
 

dwh2

Well-Known Member
Jan 14, 2004
106
0
166
Now I'm totally confused. Whic instructions do I need to follow?

Is there a tutorial somewhere on the web that says exactly what to do?
 

hicom

Well-Known Member
May 23, 2003
292
7
168
These are the two things you want to add to secure your BIND:

Code:
// Restrict Zones transfer
        allow-transfer {
                        20.0.0.1;
                        20.0.0.2;
                         };

// Restrict Recursion

        allow-recursion {
                        20.0.0.1;
                        20.0.0.2;
                         };
This will make sure only zone transfers and recursion delegated to the IP addresses you specify here (your own DNS, backup DNS..etc) - DO NOT use 127.0.0.1 in the allow-recursion lines

Oh, and of course don't forget to chang the IPs I listed!!
 
Last edited:

dwh2

Well-Known Member
Jan 14, 2004
106
0
166
hicom said:
These are the two things you want to add to secure your BIND:

Code:
// Restrict Zones transfer
        allow-transfer {
                        20.0.0.1;
                        20.0.0.2;
                         };

// Restrict Recursion

        allow-recursion {
                        20.0.0.1;
                        20.0.0.2;
                         };
This will make sure only zone transfers and recursion delegated to the IP addresses you specify here (your own DNS, backup DNS..etc) - DO NOT use 127.0.0.1

Oh, and of course don't forget to chang the IPs I listed!!
Thanks so much! I was worried I wouldn't get an answer.

*OK, so this is the change in the
"etc/named.conf" file?

*And those need to be my IPs? I guess I just look up the IPs in that tool on WHM, correct?

*I also have a db server connected to my webserver and it doesn't have WHM on it. I believe the way it was set up the DNS server for it is my webserver...wait, actually it's IP only, there is no domain name on the db server. Does it even need a DNS server? (I guess so, because when I access IPAddress only, it still needs to talk to a DNS server to determine where that IP is, correct?) Sorry, I guess my question is, any danger to adding the dbserver's IP to that address?
 

kemis

Well-Known Member
Feb 17, 2005
104
0
166
Georgetown, TX
hicom said:
DO NOT use 127.0.0.1
Chirpy uses 127.0.0.1 (as indicated in an earlier post in this thread), but you're saying not to. What are the pros/cons of using/not using it?

I am using 127.0.0.1 (in addition to my real IPs), but am still getting "lame server resolving" lines in my messages log due to recursive DNS DDoS attacks. Could this be why?

And what about DynDNS's advise to not use "allow-recursion" and to use "views" instead? DynDNS says that you're still responding to queries out of your cache even with "allow-recursion" set to only your own IPs.

-- Matt
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,441
31
473
Go on, have a guess
Matt,

I just tested that theory and it does indeed resolve cached queries, though the risks would have to be much smaller since you're not going to know which zones are cached, making it pretty much useless as a recursive resolver. I'm going to investigate further...
 
Status
Not open for further replies.