what should /etc/resolv.conf look like?

Your resolv.conf file should look like :

nameserver [primary IP]
nameserver [secondary IP]
nameserver [or another DNS IP that you have]

And, never put 127.0.0.1 at this configuration, it is not recommended to put this into the file, i think it is a security issue.

Good luck

 

You should definitely not have 127.0.0.1 there as it is a security risk and there's simply no need as you can use the main IP address of the server if you have bind correctly setup and working. Adding the DNS resolvers that your NOC provides is also a good idea incase named falls over.

 

What would be the difference to security of using the server's main external IP instead of 127.0.0.1?

 

Light reading can be found here (had to dig a bit to find it as it was discussed some time ago):
http://forums.cpanel.net/showthread.php?t=31081

 

resolv.conf

Hi,

I was reading this article and just happened to check resolv.conf file. - My name servers have been commented and replaced with nameservers which are not of my datacenter.


cat resolv.conf
domain mydomain.com
search mydomain.com
#nameserver xx.xx.xx.xx
#nameserver xx.xx.xx.xx
nameserver zz.zz.aa.bb
nameserver zz.zz.e.f

/etc/nameserverips is fine
/etc/wwwacct.conf is fine

root@cat3 [/etc]#
-rw-r--r-- 1 root root 147 Jun 12 2005 resolv.conf

As per the above output; resolv.conf hasn't been modifed since Jun 12 2005 and I have not made these modifications. Strangely none of my sites have reported a problem till date.

/tmp is secure - no suspicious files, mod-security in place... bind version 9.2.4

What could be the reason for this modification in resolv.conf? Is this a known exploit ??

Thanks!

 

Might be cpanels default resolvers

Try:

nameserver 4.2.2.4
nameserver 4.2.2.2
nameserver 4.2.2.6
nameserver 4.2.2.7

Genuity's main DNS servers, my favorite, always resolve to a server near yours, and always seem to update the fastest.

Just my thoughts...

 

nameserver 151.164.1.8
nameserver 151.164.11.201

Those IPs belong to ns1.swbell.net and ns2.swbell.net.

This is the reply from my DC:
"Rkhunter was ran on the system which only noticed a few few update need to be preformed. You have likely been cross site scripted through an old or outdated version of PHP. Up date you scripts and you should also disable direct root login. Resume.doc and several others were found in the tmp directory. Refrain from using /tmp as a place to store files."


----

My direct root login is disabled and /tmp folder is also secure.

I need help to clear some queries about this situation:

1. The permissions on resolv.conf still show root as the owner. How was resolv.conf modified by a script?

2. How do I prevent /tmp as a place to store files.

3. Most importantly; how is that all my sites were working without a problem inspite of incorrect nameservers in resolv.conf.

4. What were the security implications due to the nameservers being modified in resolv.conf

5. I have now changed resolv.conf to show my ips' as the nameservers. Do I have to do anything now?


P.S. I have a RHEL/cPanel server.

 

Does our /etc/resolv.conf need the below entries? We only have the nameserver IPs in there now.

domain mydomain.com
search mydomain.com

 

They aren't a requirement (they're only for non-FQDN lookups) and you should never have both in a resolv.conf anyway as they're mutually exclusive.

 

Ok so I now only have the below in it. Plus all of the NS1 nameservers

domain mydomain.com

 

That's fine, but as I said - usually unnecessary.

 

Ok, what does yours look like?

 

Hi,

Is there anyway that resolv.conf will change by itself ?

Because today my resolv.conf change not pointed to my IP but to old IP.

Recently my DC move my IP server from old to new IP. And i already change this resolv to new IP but today change back to old IP.

just want to know about it... already search the forum but none discuss about this changing.

 

I can't say that I've seen a resolv.conf change by itself. If you're on a virtual envirnoment, there are configuration files for virtuozzo which will set the resolv.conf on boot. If you're on a VE and you recently had a reboot, this could have changed the resolv.conf. Other than that, I haven't seen any other settings that would change this.