Security when using Local DNS Resolver

SunnyInMTL

• January 03, 2018 12:49

Hello, My current hosting provider doesn't have a resolver in their datacenter and recommends me to use 127.0.0.1 as the primary resolver (configured in /etc/resolv.conf). However, wouldn't this pose a security risk when using WHMCS to automatically provision accounts? I have tweaked the settings and disabled remote domains; however, this only applies to addon domains and aliases. It doesn't apply to the main domain when initially creating the account. For example, user A purchases web hosting using WHMCS and chooses to use his existing domain, onto which he has to change later the nameservers on the registrar. He types in domainxyz.com, checks out and pays. WHMCS creates the account and the DNS zone for domainxyz.com is created. Now user A could have typed in any domain that he didn't own and the zone would still be created. Then, he could in theory modify the records for malicious intent. Afterwards, for example when user B on the same server tries to send an email to info@domainxyz.com, it will query the local resolver for domainxyz.com, which is contained and cached locally, so the resolver returns back the wrong MX records for domainxyz.com. The email is then sent to the mailbox that was maliciously created in user A's account. Is this right? Am I missing something? Because this is seems like a huge security risk. I thought of using public DNS resolvers, such as 8.8.8.8 and 8.8.4.4, but this isn't ideal as most RBLs impose query limits by IP. Since these IPs are shared amongst many many people, the limit is reached quickly and creates other considerable problems, such as spam email getting in or real email getting flagged as spam. How do major hosting companies avoid or mitigate this security risk?

• 

  cPanelMichael

  • January 05, 2018 15:51

  Hello, Yes, that's accurate. However, note the scenario you described can also happen when using remote DNS resolvers because newly created accounts will use the "Local Mail Exchanger" setting by default. This leads to the population of the domain name in the /etc/localdomains file and results in Exim processing emails for that domain name locally. I recommend opening a feature request if you'd like to see a "Allow Remote Domains" option implemented for new account creation: Thank you.

  0
• 

  SunnyInMTL

  • January 07, 2018 23:17

  Thanks Michael for clarifying the mail routing issue. Is there any way for Email::setmxcheck (API2) to check for MX records on a remote zone? For example, if the authoritative DNS is hosted on a remote server, would I be able to delete the zone on the local server (cPanel)? I tried deleting the zone and then using Email::setmxcheck, but it always returns "Remote" even though the MX records on the remote authoritative zone point to the local server. The security around mail routing is really troubling me now.

  0
• 

  SunnyInMTL

  • January 08, 2018 01:44

  ^ I tried editing my previous post but got an error. After some testing, I noticed that Email::setmxcheck only checks the local zone; so, I can't delete it. What I tried is keeping the DNS zone with only two records: SOA and MX. The MX points to mail.domain-of-the-account.com. If the NS records of the domain are pointed to the authoritative nameservers, then that hostname will resolve to the local server because of the A record that will reside on the authoritative zone. Setmxcheck will then set the routing to local. However, if mail.domain-of-the-account.com doesn't resolve, setmxcheck will set the routing to the last known setting. Can I have two hooks for post zone creation, the first one that will set the routing to remote, and then the second hook that will setmxcheck? Perhaps I should also set CRON to run setmxcheck every X hours, in order to allow for the DNS to propagate. Will cPanel be able to function with only a zone that contains SOA/MX records, alongside BIND, a local resolver, and remote authoritative nameservers?

  0
• 

  cPanelMichael

  • January 10, 2018 18:52

  Can I have two hooks for post zone creation, the first one that will set the routing to remote, and then the second hook that will setmxcheck? Perhaps I should also set CRON to run setmxcheck every X hours, in order to allow for the DNS to propagate. Will cPanel be able to function with only a zone that contains SOA/MX records, alongside BIND, a local resolver, and remote authoritative nameservers?

  
  Hello, You can setup multiple hooks that run after the account is created, yes. The DNS zone itself isn't required if the DNS for the domain name is handled on a remote server, but cPanel users may notice error messages when attempting to use options that require the default zone entries (e.g. Zone Editor, Email Authentication). That said, you may find the following UAPI function more useful: Here's a thread where it's use is discussed: Thank you.

  0

Please sign in to leave a comment.