Next we are going to do is harden resolv.conf because if improperly configured it can be used to spoof or create a DOS attack. First go ahead and open up the config file: You should see something like "nameserver xxx.xxx.xxx.xxx" and maybe "search xxx.com". The important thing is that 127.0.0.1 is NOT listed. At the top you should have your servers internet ip address. This will function basically the same as 127.0.0.1 as many servers were configured with but it is less prone to attacks.
How could this type of configuration be used for an attack?
Personally i always use loopback in resol.conf in all my servers.... I think this so called security issue is more cpanel ( & others ) thing... or thats the only way I can think of loopback in resol.conf can cause problems... for example:
a hosting provider uses cpanel and has local nameserver and allows clients to create addon domains...... then one night a client creates addon domain "cpanel.net" or "imagemagick.org" or whatever domain where cpanel gets its automatic updates, and put some trojaned RPMs there.... and then next time when cpanel updates it self it install the trojaned RPM with root privileges.....
well this is just a theory but only thing i can think of....
"At the top you should have your servers internet ip address. This will function basically the same as 127.0.0.1 as many servers were configured with but it is less prone to attacks." There's no real difference between that and 127.0.0.1 assuming the same resolver is listening on both, as far as security. You should use a remote caching nameserver.
The main point should be that if you have a system where users can affect the DNS server (for example cPanel, or just about any control panel, where users have the ability to add domains), it's a risk to use the local resolver because there are cases where a user could create a domain that isn't really controlled by them (yahoo.com for example), and then redirect all traffic from that server to them because you are using the local server's DNS for queries. Now most control panels have some safeguards against this, but they are not foolproof (and some admins even turn them off).
You can use 127.0.0.1 in resolv.conf, just don't use it as the first line, or second for that matter. Remember the resolv.conf file is to help make your Server function and the Nameserver IPs used should be valid ones.
And WHM does provide an option to prevent common internet domains from being used. You'll find it in Tweak Settings. With that turned on you'll have no worries about someone trying to use hotmail.com, yahoo.com, etc.
• PotentProducts.com - for all your Hosting needs
• Helping people Host, Create and Maintain their Web Site
• ServerAdmin Services also available
Say that a domain hosted on your server has a payment gateway "paygate.usa" for an ecommerce site. The server could be tricked into delivering the payment information by a user that added a faked "paygate.usa" to the system. However, most control panels only allow set ranges of ipaddresses to be used during domain creation and payment transfers should be encrypted anyway so there are multiple layers that would have to be overcome to make a forged domain usable.
I still don't see any advantage to using 127.0.0.1 instead of the real ipaddress except that maybe there could be some pre-made trojans available on the internet that automatically bind to the localhost and act a bogus DNS server.