Ever setup a subdomain in cPanel you didn't publicize in any way, like say, privatetestserver.mydomain.com or grandmaswebmail.mydomain.com, and still find hits for it showing up in your logs from all over the world? Well surprise, surprise: cPanel's default BIND configuration allows anonymous zone transfers, and this means that anyone anywhere can get a full list of every record in every zone you manage, even those you'd rather keep to yourself.
Obviously, sensitive content should be protected by a more robust means than simple obscurity, but it always helps if you don't advertise the things you don't want people looking at. If you want to see what your own copy of BIND is broadcasting, run the following script, passing it your domain name as its sole argument (e.g. google.com):
If you want to stop it, add something like this to the options section of /etc/named.conf:
replacing the bogus IPs with the actual IPs of any nameservers you actually want to allow transfers to. If you don't want to allow any transfers, then simply supply a "none". Other options are available if managing slave nameservers is something you find yourself doing a lot of, but most people with VPS accounts probably don't. Restart BIND and try the script again.
Obviously, sensitive content should be protected by a more robust means than simple obscurity, but it always helps if you don't advertise the things you don't want people looking at. If you want to see what your own copy of BIND is broadcasting, run the following script, passing it your domain name as its sole argument (e.g. google.com):
Code:
#!/bin/sh
dig "$1" NS | grep -E '\.$' | awk '{ print $5 }' |
while read nameserver; do
echo "Requesting zone transfer from $nameserver..."
results=`dig @"$nameserver" "$1" AXFR +time=1 +tries=1 | grep -Ev '^;'`
if [ -z "$results" ]; then
echo "Transfer request denied (this is good)"
else
echo " "
echo "$nameserver responded to transfer request:"
echo "$results"
fi
done
If you want to stop it, add something like this to the options section of /etc/named.conf:
Code:
allow-transfer {192.168.1.1; 192.168.1.2; 192.168.1.3;};
replacing the bogus IPs with the actual IPs of any nameservers you actually want to allow transfers to. If you don't want to allow any transfers, then simply supply a "none". Other options are available if managing slave nameservers is something you find yourself doing a lot of, but most people with VPS accounts probably don't. Restart BIND and try the script again.