security problem: cpanel allows DNS zonetransfers for everyone!

Status
Not open for further replies.

verdon

Well-Known Member
Nov 1, 2003
919
12
168
Northern Ontario, Canada
cPanel Access Level
Root Administrator
I have this working, but just to clarify...

Any lines in /var/log/messages, along the lines of...
lame server resolving 'xxx.com' (in 'xxx.com'?): 11.22.33.44

...are the result of attempts to recursively query cached dns, and the only way I can currently handle it is to add these IPs to a black-hole ACL?

The reason I ask is because in the last 3 days or so, I have roughly 2,800 of these entries originating from about 250 unique IPs. This could be quite a PIA to keep up with, and I'm unsure if I would be black-holing anything legitimate.

TIA for any thoughts,
verdon
 

ispro

Well-Known Member
Verifed Vendor
Apr 8, 2004
628
2
168
verdon said:
I have this working, but just to clarify...

Any lines in /var/log/messages, along the lines of...
lame server resolving 'xxx.com' (in 'xxx.com'?): 11.22.33.44

...are the result of attempts to recursively query cached dns, and the only way I can currently handle it is to add these IPs to a black-hole ACL?

The reason I ask is because in the last 3 days or so, I have roughly 2,800 of these entries originating from about 250 unique IPs. This could be quite a PIA to keep up with, and I'm unsure if I would be black-holing anything legitimate.

TIA for any thoughts,
verdon
Quote from TP KB: "A lame server, is one that is specifed at the registrar to be authoritative for a domain, but the server itself is not setup in this manner. This is not a configuration issue on your end, but simply an informational message."

You should to have this in your named.conf to prevent:

Code:
logging {
        category lame-servers { null; };
};
Then your logs wouldn't be filled with these entires. Also they are not so dangerous :)
 

michaelcaplan

Member
Aug 15, 2003
19
0
151
Hi there,

I tried the recommended setting for closing off my open DNS servers, and I am getting the following error with my configuration changes. I followed the configureation as sugested... any ideas?

/etc/init.d/named start
Starting named: /etc/named.conf:8: unknown option 'allow-transfer'
/etc/named.conf:18: unknown option 'allow-recursion'





dwh2 said:
Subject: How to close CPanel security hole of Open DNS Zonetransfers
...
 

HappymanUK

Well-Known Member
May 3, 2003
255
1
168
michaelcaplan said:
Hi there,

I tried the recommended setting for closing off my open DNS servers, and I am getting the following error with my configuration changes. I followed the configureation as sugested... any ideas?

/etc/init.d/named start
Starting named: /etc/named.conf:8: unknown option 'allow-transfer'
/etc/named.conf:18: unknown option 'allow-recursion'
I am getting this same error too.

Any ideas ?

Thanks
Daniel
 

luis

Well-Known Member
Sep 3, 2001
50
0
306
kemis said:
As indicated in my code (above the untrusted ACL), you can blackhole IPs to prevent them from querying your DNS server at all. This is useful, because even with allow-recursive set to only your trusted IP addresses, BIND will still attempt to respond to recursive queries out of its cache (thus not fully solving the recursive DDOS attack issue).
¿How about a set of rules for bfd looking for these entries on /var/log/messages ?
 

ispro

Well-Known Member
Verifed Vendor
Apr 8, 2004
628
2
168
Here is the rule we are using from time to time. It could give you an idea.
Name this file as named and place in /usr/local/bfd/rules

Code:
REQ="/usr/sbin/named"
if [ -f "$REQ" ]; then
LP="/var/log/messages"
TLOG_TF="named"
TRIG="15"

## NAMED ABUSE
ARG_VAL=`$TLOGP $LP $TLOG_TF | grep -w named | grep "error sending response" | awk '{print $7}' | cut -d '#' -f1`

# this line for initial run, left as an example
# Reason - tlog script does parse size incorrectly and missed the old entries
# ARG_VAL=`grep -w $TLOG_TF $LP | grep "error sending response" | awk '{print $7}' | cut -d '#' -f1`

fi
 

njoyhost

Member
Dec 4, 2006
15
0
151
will post later on this issue...I have followed the directions had errors and edited until it worked so this may help some of you that couldnt get it to work
 

rpmws

Well-Known Member
Aug 14, 2001
1,802
9
318
back woods of NC, USA
this one is stuping me. I used to use Chripy's acl method and it always worked. Now I am trying it on a new _64 reh hat box and I can't stop it from allowing lookups of outside domains from the outside. CSF test shows I am ok ..but dnsstuff and my own dig from my isp against my box looking up yahoo.com returns a non-auth record. I have everything set correctly (i think)
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
31
473
Go on, have a guess
this one is stuping me. I used to use Chripy's acl method and it always worked. Now I am trying it on a new _64 reh hat box and I can't stop it from allowing lookups of outside domains from the outside. CSF test shows I am ok ..but dnsstuff and my own dig from my isp against my box looking up yahoo.com returns a non-auth record. I have everything set correctly (i think)
If the item you are looking up has been cached by a local lookup it will resolve from a remote lookup regardless of the recursion setting. It's a quirk in the way bind works. There is a workaround, but that doesn't work with the way cPanel handles the named.conf file.

If you clear the named cache:

rndc flush

It should then prevent the recursion, unless you're running chroot named, in which case you may have to put the changes into /var/named/chroot/etc/named.conf instead of /etc/named.conf
 

staylor

Member
Aug 29, 2007
19
0
51
I just found out that the way cpanel sets up and handles DNS is that it allows zonetransfers for all zones for everyone!
There is a concept of security through obscurity and it is quiet dangerous to allow zonetransfers just to everyone.
With a whole zonefile a hacker pretty much has a map of what you have and often host names like testing or beta give away clues to people who want to break in.
The standard should be to allow zonetransfers only to authorized ips, mostly secondary DNS servers.
On another note the cpanel DNS server can be used for queries by pretty much anyone which adds load to the server if more and more people use it.
The correct way should be to not offer recursive answers to the outside world and only allow recursive behaviour the own host.
I will post tonight a changed named.conf file for everyone to use to close this hole!

cPanel.net Support Ticket Number:
I am confused. I am a webdeveloper in charge of a server.
I hope I ask the right questions. I understand why I need to do this but what I dont understand is what IPs should be allowed whatever access is needed.

Why would I need to do whatever it is that would be done? What exactly do you mean by zonetransfers and do I need to get the secondary nameserver IPs from the datacenter or would secondary IPs be used for some kind of redundancy?
 

MaraBlue

Well-Known Member
May 3, 2005
332
2
168
Carmichael, CA
cPanel Access Level
Root Administrator
I am confused. I am a webdeveloper in charge of a server.
I hope I ask the right questions. I understand why I need to do this but what I dont understand is what IPs should be allowed whatever access is needed.

Why would I need to do whatever it is that would be done? What exactly do you mean by zonetransfers and do I need to get the secondary nameserver IPs from the datacenter or would secondary IPs be used for some kind of redundancy?
Do you realize you're replying to a post from 2003?
For answers to your questions, ou might try Googling for a basic DNS tutorial.
 

SME

Member
Jan 31, 2009
5
0
51
Whm 11.24.2

Hello,

I see this error in CSF:

{You have a local DNS server running but do not have any recursion restrictions set in /etc/named.conf. This is a security and performance risk and you should look at restricting recursive lookups to the local IP addresses only}

how can I fix this error?
Thank you.
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
79
458
cPanel Access Level
Root Administrator
Hello,

I see this error in CSF:

{You have a local DNS server running but do not have any recursion restrictions set in /etc/named.conf. This is a security and performance risk and you should look at restricting recursive lookups to the local IP addresses only}

how can I fix this error?
Thank you.
This question is in appropriate for this thread.
 
Status
Not open for further replies.