Results 1 to 7 of 7
  1. Hardening resolv.conf

    I have a couple of DNS questions with regard to a hosting server acting in the capacity of a Hosting Service Provider.

    1. Is it more common for a server to provide its own DNS lookups:
    Code:
    cat > /etc/resolv.conf << "EOF"
    nameserver 127.0.0.1
    EOF
    or to have a set of specified DNS servers that it queries:
    Code:
    cat > /etc/resolv.conf << "EOF"
    nameserver 111.112.113.114
    nameserver 111.112.113.115
    EOF
    ???

    2. When a server is doing it's own recursive lookups, I have come across to a reference that there may be security repercussions to pointing the resolver towards the localhost @ 127.0.0.1 :

    http://www.eth0.us/?q=node/6

    Next we are going to do is harden resolv.conf because if improperly configured it can be used to spoof or create a DOS attack. First go ahead and open up the config file: You should see something like "nameserver xxx.xxx.xxx.xxx" and maybe "search xxx.com". The important thing is that 127.0.0.1 is NOT listed. At the top you should have your servers internet ip address. This will function basically the same as 127.0.0.1 as many servers were configured with but it is less prone to attacks.
    How could this type of configuration be used for an attack?

  2. i'm going to go ahead and bump this one back up to the top. anyone have any clues?

  3. #3
    Join Date
    Nov 2002
    Location
    Finland
    Posts
    96
    Hi,


    Personally i always use loopback in resol.conf in all my servers.... I think this so called security issue is more cpanel ( & others ) thing... or thats the only way I can think of loopback in resol.conf can cause problems... for example:

    a hosting provider uses cpanel and has local nameserver and allows clients to create addon domains...... then one night a client creates addon domain "cpanel.net" or "imagemagick.org" or whatever domain where cpanel gets its automatic updates, and put some trojaned RPMs there.... and then next time when cpanel updates it self it install the trojaned RPM with root privileges.....

    well this is just a theory but only thing i can think of....


    Tero

  4. #4
    Join Date
    Mar 2004
    Location
    Chicago, IL
    Posts
    384
    I think the eth0.us text is a little off-base.

    "At the top you should have your servers internet ip address. This will function basically the same as 127.0.0.1 as many servers were configured with but it is less prone to attacks." There's no real difference between that and 127.0.0.1 assuming the same resolver is listening on both, as far as security. You should use a remote caching nameserver.

    The main point should be that if you have a system where users can affect the DNS server (for example cPanel, or just about any control panel, where users have the ability to add domains), it's a risk to use the local resolver because there are cases where a user could create a domain that isn't really controlled by them (yahoo.com for example), and then redirect all traffic from that server to them because you are using the local server's DNS for queries. Now most control panels have some safeguards against this, but they are not foolproof (and some admins even turn them off).
    No monkey business.

  5. #5
    Join Date
    Apr 2005
    Location
    Sweden
    Posts
    241
    Thats something i thought of too, what if someone adds something like "hotmail.com" and starts harvesting email that really should be relayed out?

    I dont allow users to add domains themselves, and this is one of the reasons...

  6. #6
    Join Date
    Sep 2000
    Location
    Alberta, Canada
    Posts
    3,109
    You can use 127.0.0.1 in resolv.conf, just don't use it as the first line, or second for that matter. Remember the resolv.conf file is to help make your Server function and the Nameserver IPs used should be valid ones.

    And WHM does provide an option to prevent common internet domains from being used. You'll find it in Tweak Settings. With that turned on you'll have no worries about someone trying to use hotmail.com, yahoo.com, etc.
    PotentProducts.com - for all your Hosting needs
    Helping people Host, Create and Maintain their Web Site
    ServerAdmin Services also available

  7. OK. I think that I've got the big picture now:

    Say that a domain hosted on your server has a payment gateway "paygate.usa" for an ecommerce site. The server could be tricked into delivering the payment information by a user that added a faked "paygate.usa" to the system. However, most control panels only allow set ranges of ipaddresses to be used during domain creation and payment transfers should be encrypted anyway so there are multiple layers that would have to be overcome to make a forged domain usable.

    I still don't see any advantage to using 127.0.0.1 instead of the real ipaddress except that maybe there could be some pre-made trojans available on the internet that automatically bind to the localhost and act a bogus DNS server.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •