Results 1 to 7 of 7
  1. Hardening resolv.conf

    I have a couple of DNS questions with regard to a hosting server acting in the capacity of a Hosting Service Provider.

    1. Is it more common for a server to provide its own DNS lookups:
    cat > /etc/resolv.conf << "EOF"
    or to have a set of specified DNS servers that it queries:
    cat > /etc/resolv.conf << "EOF"

    2. When a server is doing it's own recursive lookups, I have come across to a reference that there may be security repercussions to pointing the resolver towards the localhost @ :

    Next we are going to do is harden resolv.conf because if improperly configured it can be used to spoof or create a DOS attack. First go ahead and open up the config file: You should see something like "nameserver" and maybe "search". The important thing is that is NOT listed. At the top you should have your servers internet ip address. This will function basically the same as as many servers were configured with but it is less prone to attacks.
    How could this type of configuration be used for an attack?

  2. i'm going to go ahead and bump this one back up to the top. anyone have any clues?

  3. #3
    Join Date
    Nov 2002

    Personally i always use loopback in resol.conf in all my servers.... I think this so called security issue is more cpanel ( & others ) thing... or thats the only way I can think of loopback in resol.conf can cause problems... for example:

    a hosting provider uses cpanel and has local nameserver and allows clients to create addon domains...... then one night a client creates addon domain "" or "" or whatever domain where cpanel gets its automatic updates, and put some trojaned RPMs there.... and then next time when cpanel updates it self it install the trojaned RPM with root privileges.....

    well this is just a theory but only thing i can think of....


  4. #4
    Join Date
    Mar 2004
    Chicago, IL
    I think the text is a little off-base.

    "At the top you should have your servers internet ip address. This will function basically the same as as many servers were configured with but it is less prone to attacks." There's no real difference between that and assuming the same resolver is listening on both, as far as security. You should use a remote caching nameserver.

    The main point should be that if you have a system where users can affect the DNS server (for example cPanel, or just about any control panel, where users have the ability to add domains), it's a risk to use the local resolver because there are cases where a user could create a domain that isn't really controlled by them ( for example), and then redirect all traffic from that server to them because you are using the local server's DNS for queries. Now most control panels have some safeguards against this, but they are not foolproof (and some admins even turn them off).
    No monkey business.

  5. #5
    Join Date
    Apr 2005
    Thats something i thought of too, what if someone adds something like "" and starts harvesting email that really should be relayed out?

    I dont allow users to add domains themselves, and this is one of the reasons...

  6. #6
    Join Date
    Sep 2000
    Alberta, Canada
    You can use in resolv.conf, just don't use it as the first line, or second for that matter. Remember the resolv.conf file is to help make your Server function and the Nameserver IPs used should be valid ones.

    And WHM does provide an option to prevent common internet domains from being used. You'll find it in Tweak Settings. With that turned on you'll have no worries about someone trying to use,, etc. - for all your Hosting needs
    Helping people Host, Create and Maintain their Web Site
    ServerAdmin Services also available

  7. OK. I think that I've got the big picture now:

    Say that a domain hosted on your server has a payment gateway "paygate.usa" for an ecommerce site. The server could be tricked into delivering the payment information by a user that added a faked "paygate.usa" to the system. However, most control panels only allow set ranges of ipaddresses to be used during domain creation and payment transfers should be encrypted anyway so there are multiple layers that would have to be overcome to make a forged domain usable.

    I still don't see any advantage to using instead of the real ipaddress except that maybe there could be some pre-made trojans available on the internet that automatically bind to the localhost and act a bogus DNS server.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts