From time to time my configuration of CPanel Hosting servers requires the ability to allow a Windows (or other) style DNS server to retrieve hosted dns zones from the hosting server. As default AXFR is blocked with Bind/NSD on a CPanel box, and with good cause! My configuration in an environment where Windows DNS servers are God means in order to give control over things like subdomains, mx entries and the plethora of CPanel adjustable DNS related items to the individual I need a way of allowing the Windows box (or other dns server) to get its primary records from the CPanel box! This comes in the form of a zone transfer (AXFR). While the CPanel box will respond to queries it certainly will not give up the entire zone of a domain unless we tell it to! So here is how to allow zone transfers to a specific list of sources.
- Create an ACL (Access List) within named.conf
- Apply our new ACL to the main options in named.conf
Now all we need to do is add in the trusted-servers ACL we created!
Find the below bit a little further down in named.conf
Get access to your CPanel servers console or SSH in with root permissions. Using your favourite editor, pico in my case, edit the following file
pico /etc/named.conf
Here is the section of named.conf we are going to add in our ACL. This is prior to any changes to show the default file.
controls {
inet 127.0.0.1 allow { localhost; } keys { “rndc-key”; };
};
WE WANT TO ADD HERE
options {
here is an example of the same section with a basic ACL added. Bolded for convenience.
controls {
inet 127.0.0.1 allow { localhost; } keys { “rndc-key”; };
};
acl trusted-servers {
192.168.100.0/24; //Showing a entire range allowed
123.122.123.122; //dns0.something.com
122.123.122.123; //dns1.something.com
};
options {
Above you can see we have allowed the entire 192.168.100.0 address range (just an example of allowing a range of IPs) and we have added specific access from the two dns0 and dns1 servers. Everything behind the // is ignored and only used to comment the file so we can understand what we have done when we need to view this file some random time in the future! It saves the headache of trying to figure out what the hell we did last time 
// Put files that named is allowed to write in the data/ directory:
directory ”/var/named”; // the default
pid-file “/var/run/named/named.pid”;
dump-file ”data/cache_dump.db”;
statistics-file ”data/named_stats.txt”;
/* memstatistics-file “data/named_mem_stats.txt”; */
allow-transfer {none;};
};
And below example is the same area changed to add in the ACL we created. I have bolded the bit I changed.
// Put files that named is allowed to write in the data/ directory:
directory “/var/named”; // the default
pid-file “/var/run/named/named.pid”;
dump-file “data/cache_dump.db”;
statistics-file “data/named_stats.txt”;
/* memstatistics-file “data/named_mem_stats.txt”; */
allow-transfer { trusted-servers; };
};
Save your changed file and restart BIND/NSD. You can do this from command or simply from within the WHM panel!
Now TEST! From an allowed source you can use nslookup from command, if its a windows box simply run nslookup then server then ls -d domainname.com domainname.com being a domain which is hosted on the CPanel server. You should recieve a copy of the entire zone on screen! Any questions, put them in the comments.
C:\>nslookup
>server my.cpanelhost.com
>ls -d domainname.com
Zone information will be displayed.
