security problem: cpanel allows DNS zonetransfers for everyone!

[verdon]

I have this working, but just to clarify...

Any lines in /var/log/messages, along the lines of...
lame server resolving 'xxx.com' (in 'xxx.com'?): 11.22.33.44

...are the result of attempts to recursively query cached dns, and the only way I can currently handle it is to add these IPs to a black-hole ACL?

The reason I ask is because in the last 3 days or so, I have roughly 2,800 of these entries originating from about 250 unique IPs. This could be quite a PIA to keep up with, and I'm unsure if I would be black-holing anything legitimate.

TIA for any thoughts,
verdon

 

[ispro]

I have this working, but just to clarify...

Any lines in /var/log/messages, along the lines of...
lame server resolving 'xxx.com' (in 'xxx.com'?): 11.22.33.44

...are the result of attempts to recursively query cached dns, and the only way I can currently handle it is to add these IPs to a black-hole ACL?

The reason I ask is because in the last 3 days or so, I have roughly 2,800 of these entries originating from about 250 unique IPs. This could be quite a PIA to keep up with, and I'm unsure if I would be black-holing anything legitimate.

TIA for any thoughts,
verdon

Quote from TP KB: "A lame server, is one that is specifed at the registrar to be authoritative for a domain, but the server itself is not setup in this manner. This is not a configuration issue on your end, but simply an informational message."

You should to have this in your named.conf to prevent:

logging {
        category lame-servers { null; };
};

Then your logs wouldn't be filled with these entires. Also they are not so dangerous

 

[michaelcaplan]

Hi there,

I tried the recommended setting for closing off my open DNS servers, and I am getting the following error with my configuration changes. I followed the configureation as sugested... any ideas?

/etc/init.d/named start
Starting named: /etc/named.conf:8: unknown option 'allow-transfer'
/etc/named.conf:18: unknown option 'allow-recursion'

Subject: How to close CPanel security hole of Open DNS Zonetransfers
...

 

[HappymanUK]

Hi there,

I tried the recommended setting for closing off my open DNS servers, and I am getting the following error with my configuration changes. I followed the configureation as sugested... any ideas?

/etc/init.d/named start
Starting named: /etc/named.conf:8: unknown option 'allow-transfer'
/etc/named.conf:18: unknown option 'allow-recursion'

I am getting this same error too.

Any ideas ?

Thanks
Daniel

 

[luis]

As indicated in my code (above the untrusted ACL), you can blackhole IPs to prevent them from querying your DNS server at all. This is useful, because even with allow-recursive set to only your trusted IP addresses, BIND will still attempt to respond to recursive queries out of its cache (thus not fully solving the recursive DDOS attack issue).

¿How about a set of rules for bfd looking for these entries on /var/log/messages ?

 

[ispro]

Here is the rule we are using from time to time. It could give you an idea.
Name this file as named and place in /usr/local/bfd/rules

REQ="/usr/sbin/named"
if [ -f "$REQ" ]; then
LP="/var/log/messages"
TLOG_TF="named"
TRIG="15"

## NAMED ABUSE
ARG_VAL=`$TLOGP $LP $TLOG_TF | grep -w named | grep "error sending response" | awk '{print $7}' | cut -d '#' -f1`

# this line for initial run, left as an example
# Reason - tlog script does parse size incorrectly and missed the old entries
# ARG_VAL=`grep -w $TLOG_TF $LP | grep "error sending response" | awk '{print $7}' | cut -d '#' -f1`

fi

 

[njoyhost]

will post later on this issue...I have followed the directions had errors and edited until it worked so this may help some of you that couldnt get it to work

 

[rpmws]

this one is stuping me. I used to use Chripy's acl method and it always worked. Now I am trying it on a new _64 reh hat box and I can't stop it from allowing lookups of outside domains from the outside. CSF test shows I am ok ..but dnsstuff and my own dig from my isp against my box looking up yahoo.com returns a non-auth record. I have everything set correctly (i think)

 

[chirpy]

this one is stuping me. I used to use Chripy's acl method and it always worked. Now I am trying it on a new _64 reh hat box and I can't stop it from allowing lookups of outside domains from the outside. CSF test shows I am ok ..but dnsstuff and my own dig from my isp against my box looking up yahoo.com returns a non-auth record. I have everything set correctly (i think)

If the item you are looking up has been cached by a local lookup it will resolve from a remote lookup regardless of the recursion setting. It's a quirk in the way bind works. There is a workaround, but that doesn't work with the way cPanel handles the named.conf file.

If you clear the named cache:

rndc flush

It should then prevent the recursion, unless you're running chroot named, in which case you may have to put the changes into /var/named/chroot/etc/named.conf instead of /etc/named.conf

 

[staylor]

I just found out that the way cpanel sets up and handles DNS is that it allows zonetransfers for all zones for everyone!
There is a concept of security through obscurity and it is quiet dangerous to allow zonetransfers just to everyone.
With a whole zonefile a hacker pretty much has a map of what you have and often host names like testing or beta give away clues to people who want to break in.
The standard should be to allow zonetransfers only to authorized ips, mostly secondary DNS servers.
On another note the cpanel DNS server can be used for queries by pretty much anyone which adds load to the server if more and more people use it.
The correct way should be to not offer recursive answers to the outside world and only allow recursive behaviour the own host.
I will post tonight a changed named.conf file for everyone to use to close this hole!

cPanel.net Support Ticket Number:

I am confused. I am a webdeveloper in charge of a server.
I hope I ask the right questions. I understand why I need to do this but what I dont understand is what IPs should be allowed whatever access is needed.

Why would I need to do whatever it is that would be done? What exactly do you mean by zonetransfers and do I need to get the secondary nameserver IPs from the datacenter or would secondary IPs be used for some kind of redundancy?

 

[MaraBlue]

I am confused. I am a webdeveloper in charge of a server.
I hope I ask the right questions. I understand why I need to do this but what I dont understand is what IPs should be allowed whatever access is needed.

Why would I need to do whatever it is that would be done? What exactly do you mean by zonetransfers and do I need to get the secondary nameserver IPs from the datacenter or would secondary IPs be used for some kind of redundancy?

Do you realize you're replying to a post from 2003?
For answers to your questions, ou might try Googling for a basic DNS tutorial.

 

[SME]

Whm 11.24.2

Hello,

I see this error in CSF:

{You have a local DNS server running but do not have any recursion restrictions set in /etc/named.conf. This is a security and performance risk and you should look at restricting recursive lookups to the local IP addresses only}

how can I fix this error?
Thank you.

 

[cPanelKenneth]

Hello,

I see this error in CSF:

{You have a local DNS server running but do not have any recursion restrictions set in /etc/named.conf. This is a security and performance risk and you should look at restricting recursive lookups to the local IP addresses only}

how can I fix this error?
Thank you.

This question is in appropriate for this thread.