Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security when using Local DNS Resolver

Discussion in 'Bind / DNS / Nameserver Issues' started by SunnyInMTL, Jan 3, 2018.

  1. SunnyInMTL

    SunnyInMTL Member

    Joined:
    Jan 3, 2018
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    Hello,

    My current hosting provider doesn't have a resolver in their datacenter and recommends me to use 127.0.0.1 as the primary resolver (configured in /etc/resolv.conf).

    However, wouldn't this pose a security risk when using WHMCS to automatically provision accounts?

    I have tweaked the settings and disabled remote domains; however, this only applies to addon domains and aliases. It doesn't apply to the main domain when initially creating the account.

    For example, user A purchases web hosting using WHMCS and chooses to use his existing domain, onto which he has to change later the nameservers on the registrar. He types in domainxyz.com, checks out and pays. WHMCS creates the account and the DNS zone for domainxyz.com is created.

    Now user A could have typed in any domain that he didn't own and the zone would still be created. Then, he could in theory modify the records for malicious intent. Afterwards, for example when user B on the same server tries to send an email to info@domainxyz.com, it will query the local resolver for domainxyz.com, which is contained and cached locally, so the resolver returns back the wrong MX records for domainxyz.com. The email is then sent to the mailbox that was maliciously created in user A's account.

    Is this right? Am I missing something? Because this is seems like a huge security risk.

    I thought of using public DNS resolvers, such as 8.8.8.8 and 8.8.4.4, but this isn't ideal as most RBLs impose query limits by IP. Since these IPs are shared amongst many many people, the limit is reached quickly and creates other considerable problems, such as spam email getting in or real email getting flagged as spam.

    How do major hosting companies avoid or mitigate this security risk?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,396
    Likes Received:
    1,605
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Yes, that's accurate. However, note the scenario you described can also happen when using remote DNS resolvers because newly created accounts will use the "Local Mail Exchanger" setting by default. This leads to the population of the domain name in the /etc/localdomains file and results in Exim processing emails for that domain name locally. I recommend opening a feature request if you'd like to see a "Allow Remote Domains" option implemented for new account creation:

    Submit A Feature Request

    As far as the resolver question itself, you may want to consider using public DNS resolvers and then implement a workaround for the RBL limits like the one referenced on the following post:

    DNS implications to modifying resolv.conf

    Thank you.
     
  3. SunnyInMTL

    SunnyInMTL Member

    Joined:
    Jan 3, 2018
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    Thanks Michael for clarifying the mail routing issue.

    Is there any way for Email::setmxcheck (API2) to check for MX records on a remote zone?

    For example, if the authoritative DNS is hosted on a remote server, would I be able to delete the zone on the local server (cPanel)?

    I tried deleting the zone and then using Email::setmxcheck, but it always returns "Remote" even though the MX records on the remote authoritative zone point to the local server.

    The security around mail routing is really troubling me now.
     
  4. SunnyInMTL

    SunnyInMTL Member

    Joined:
    Jan 3, 2018
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    ^ I tried editing my previous post but got an error.

    After some testing, I noticed that Email::setmxcheck only checks the local zone; so, I can't delete it. What I tried is keeping the DNS zone with only two records: SOA and MX.

    The MX points to mail.domain-of-the-account.com. If the NS records of the domain are pointed to the authoritative nameservers, then that hostname will resolve to the local server because of the A record that will reside on the authoritative zone. Setmxcheck will then set the routing to local. However, if mail.domain-of-the-account.com doesn't resolve, setmxcheck will set the routing to the last known setting.

    Can I have two hooks for post zone creation, the first one that will set the routing to remote, and then the second hook that will setmxcheck? Perhaps I should also set CRON to run setmxcheck every X hours, in order to allow for the DNS to propagate.

    Will cPanel be able to function with only a zone that contains SOA/MX records, alongside BIND, a local resolver, and remote authoritative nameservers?
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,396
    Likes Received:
    1,605
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You can setup multiple hooks that run after the account is created, yes. The DNS zone itself isn't required if the DNS for the domain name is handled on a remote server, but cPanel users may notice error messages when attempting to use options that require the default zone entries (e.g. Zone Editor, Email Authentication). That said, you may find the following UAPI function more useful:

    UAPI Functions - Email::set_always_accept - Software Development Kit - cPanel Documentation

    Here's a thread where it's use is discussed:

    MX Entries and the API

    Thank you.
     
Loading...

Share This Page