How to keep people out of private subdomains


New Member
Ever setup a subdomain in cPanel you didn't publicize in any way, like say, or, and still find hits for it showing up in your logs from all over the world? Well surprise, surprise: cPanel's default BIND configuration allows anonymous zone transfers, and this means that anyone anywhere can get a full list of every record in every zone you manage, even those you'd rather keep to yourself.

Obviously, sensitive content should be protected by a more robust means than simple obscurity, but it always helps if you don't advertise the things you don't want people looking at. If you want to see what your own copy of BIND is broadcasting, run the following script, passing it your domain name as its sole argument (e.g.


dig "$1" NS | grep -E '\.$' | awk '{ print $5 }' |
while read nameserver; do
	echo "Requesting zone transfer from $nameserver..."
	results=`dig @"$nameserver" "$1" AXFR +time=1 +tries=1 | grep -Ev '^;'`
	if [ -z "$results" ]; then
		echo "Transfer request denied (this is good)"
		echo " "
		echo "$nameserver responded to transfer request:"
		echo "$results"


If you want to stop it, add something like this to the options section of /etc/named.conf:

allow-transfer {;;;};

replacing the bogus IPs with the actual IPs of any nameservers you actually want to allow transfers to. If you don't want to allow any transfers, then simply supply a "none". Other options are available if managing slave nameservers is something you find yourself doing a lot of, but most people with VPS accounts probably don't. Restart BIND and try the script again.