Enable DNS zone transfers?
Hello,
I started looking through /var/log/secure* and found some worrying stuff, like this:
What is that AXFR thing? Did someone try hijacking my domain name? What do I do? If that is a transfer attempt, why were they able to try and initiate one, even if it failed? Also, Horde shows me an IP address from the last person to log into the account. Is there a log file where all these IP addresses for the successful logins are stored for Horde? Thank you.
Dec 3 22:24:09 franklin pdns[4717]: AXFR of domain 'mydomain.com' initiated by 65.19.178.10
Dec 3 22:24:09 franklin pdns[4717]: AXFR of domain 'mydomain.com' failed: 65.19.178.10 cannot request AXFR
What is that AXFR thing? Did someone try hijacking my domain name? What do I do? If that is a transfer attempt, why were they able to try and initiate one, even if it failed? Also, Horde shows me an IP address from the last person to log into the account. Is there a log file where all these IP addresses for the successful logins are stored for Horde? Thank you.
-
After I stopped freaking out real bad, I googled what AXFR is, and my understanding, it's a good thing and supposed to be happening. AXFR is a mechanism for replicating DNS data across DNS servers. If I change something on my DNS server, maybe create a new A record, the AXFR is what updates all the other DNS servers, so they can see the A record. Is that correct? I searched the log files and there are a bunch of IP addresses and failed messages with the AXFR thing. Maybe this topic shouldn't be in the security sub-forums but the DNS sub-forum. I think, from my reading, what I want to do is enable DNS zone transfers (the AXFR thing). I'm pretty sure my DNS server is a slave and it communicates with Linode's master DNS server. I still don't got all the DNS stuff down, so please correct me if I'm wrong. I want to enable AXFRs but I only want to tell my slave to communicate with Linode's master, so someone couldn't grab my zone data. Also, I think I want to sign the transfers. Hrmm, I wonder how I go about doing this. 0 -
Hello, Could you verify which name server is installed on the system (e.g. Bind, PowerDNS)? Thanks! 0 -
Yup. It's PowerDNS. I also have that DNSSEC configured (hopefully, properly!). 0 -
Hello, AXFR is disabled by default in the PowerDNS configuration file: # grep disable-axfr=yes /etc/pdns/pdns.conf disable-axfr=yes
You can test this by logging in via SSH as an individual cPanel user, and then attempting to query the nameserver for a domain that is not owned by that cPanel user:dig @127.0.0.1 cptest01.com AXFR
The command should end with:;; global options: +cmd ; Transfer failed.
Note that we did update the pdns package to address an issue where this action was permitted for users with local connections when cPanel 60 was still in a development build: Fixed case CPANEL-8843: Update pdns to 3.4.9-5.cp1160. As far as enabling zone transfers, are you currently experiencing issues with your DNS configuration as it stands? Thank you.0 -
The only issues I have are a decent number of transfers failed messages in the log, but I don't think this is an error. I think maybe if I understood things a bit better, it'd help. It seems people can figure out my network topology using these domain transfers, which would be a bad thing. But if that's bad, why do we have them in the first place? What's the benefits to having them enabled? I can't really find a lot of information on that. DNS works with AXFR disabled. So what exactly does AXFR allow the DNS server to do that it currently cannot do? I was thinking I could secure the transfers somehow. Signing them and maybe only allowing transfers to Linode's master server or whatever it's called. My understanding is domain transfers (AXFR) allows my DNS server's database (the zone) to be synchronized with other DNS servers. If this is the case, it'd be a good thing to have them enabled, at least for Linode's master server, right? If that's what DNS zone transfers are, I guess I don't understand why when I edit my zone and add a new record, it eventually propagates to the rest of the DNS servers on the internet. Isn't that AXFR does? With AXFR disabled, how do the other DNS servers know about my zone? 0 -
Hello, I believe you simply need more information to help understand the difference between a DNS query and a zone transfer. The top answer on the following StackOverflow thread is good answer to help understand the difference: How can I list ALL DNS records? You may also find these URLs helpful: Is there a way to get the complete zone file for a domain without contacting its host? DNS zone transfer attack How to test for zone transfer? The Wikipedia page on zone transfers may also help: DNS zone transfer - Wikipedia My understanding is domain transfers (AXFR) allows my DNS server's database (the zone) to be synchronized with other DNS servers. If this is the case, it'd be a good thing to have them enabled, at least for Linode's master server, right?
Yes, the transfer of DNS records from your cPanel server to the Linode DNS servers is done through AXFR queries. Their instructions require you to allow their specific IP addresses permission to make those queries. The process may have been completed for you on their behalf, but if not, they offer information about what happens at: Set Up DNS Services on cPanel Thank you.0 -
You're definitely right cPanelMichael. I gotta read up on this DNS stuff and learn it a lot better. I don't know much about it at all. Thanks for the links. When I get some time, I'll read through all of them. Thanks! 0
Please sign in to leave a comment.
Comments
7 comments