Configuring AXFR using ACL’s with BIND/NSD on CPanel

From time to time my configuration of CPanel Hosting servers requires the ability to allow a Windows  (or other) style DNS server to retrieve hosted dns zones from the hosting server. As default AXFR is blocked with Bind/NSD on a CPanel box, and with good cause! My configuration in an environment where Windows DNS servers are God means in order to give control over things like subdomains, mx entries and the plethora of CPanel adjustable DNS related items to the individual I need a way of allowing the Windows box (or other dns server) to get its primary records from the CPanel box! This comes in the form of a zone transfer (AXFR). While the CPanel box will respond to queries it certainly will not give up the entire zone of a domain unless we tell it to! So here is how to allow zone transfers to a specific list of sources.

  1. Create an ACL (Access List) within named.conf
  2. Get access to your CPanel servers console or SSH in with root permissions. Using your favourite editor, pico in my case, edit the following file

    pico /etc/named.conf

    Here is the section of named.conf we are going to add in our ACL. This is prior to any changes to show the default file.

    controls {
    inet 127.0.0.1 allow { localhost; } keys { “rndc-key”; };
    };
    WE WANT TO ADD HERE
    options {

    here is an example of the same section with a basic ACL added. Bolded for convenience.

    controls {
    inet 127.0.0.1 allow { localhost; } keys { “rndc-key”; };
    };
    acl trusted-servers {
    192.168.100.0/24;   //Showing a entire range allowed
    123.122.123.122;     //dns0.something.com
    122.123.122.123;     //dns1.something.com
    };

    options {

    Above you can see we have allowed the entire 192.168.100.0 address range (just an example of allowing a range of IPs) and we have added specific access from the two dns0 and dns1 servers. Everything behind the // is ignored and only used to comment the file so we can understand what we have done when we need to view this file some random time in the future! It saves the headache of trying to figure out what the hell we did last time :)

  3. Apply our new ACL to the main options in named.conf
    Now all we need to do is add in the trusted-servers ACL we created!
    Find the below bit a little further down in named.conf
  4. // Put files that named is allowed to write in the data/ directory:
    directory                “/var/named”; // the default
    pid-file                 “/var/run/named/named.pid”;
    dump-file                “data/cache_dump.db”;
    statistics-file          “data/named_stats.txt”;
    /* memstatistics-file     “data/named_mem_stats.txt”; */
    allow-transfer {none;};
    };

    And below example is the same area changed to add in the ACL we created. I have bolded the bit I changed.

    // Put files that named is allowed to write in the data/ directory:
    directory “/var/named”; // the default
    pid-file “/var/run/named/named.pid”;
    dump-file “data/cache_dump.db”;
    statistics-file “data/named_stats.txt”;
    /* memstatistics-file “data/named_mem_stats.txt”; */
    allow-transfer { trusted-servers; };
    };

    Save your changed file and restart BIND/NSD. You can do this from command or simply from within the WHM panel!

Now TEST! From an allowed source you can use nslookup from command, if its a windows box simply run nslookup then server then ls -d domainname.com domainname.com being a domain which is hosted on the CPanel server. You should recieve a copy of the entire zone on screen! :) Any questions, put them in the comments.

C:\>nslookup
>server my.cpanelhost.com
>ls -d domainname.com
Zone information will be displayed.


Share

3 Responses to “Configuring AXFR using ACL’s with BIND/NSD on CPanel”

  1. amin yuliastanto April 21, 2011 at 4:33 am #

    but everytime cpanel update or add new zone it’s will rebuild the /etc/named.conf again and your edit will be gone.

    how do you fix that? manually edit /etc/named.conf again?

    • Josh April 21, 2011 at 4:14 pm #

      I suspect CPanel update may run a script to update portions within the named.conf as the last couple of updates haven’t removed my axfr edits on the servers I manage.
      For good measure it would be worthwhile keeping a backup of your named.conf files to reference and test axfr after each major cpanel update.

      Certainly adding new zones won’t effect this, zones are new zone files and referenced from named.conf then the service is restarted. no changes to this initial portion of the file at all.

      Cheers

Trackbacks/Pingbacks

  1. Configuring AXFR (zone transfer) using ACL’s with BIND on CPanel | whatever... - May 9, 2011

    […] detail see:http://www.techhelpblog.com/2010/08/07/configuring-axfr-using-acls-with-bind-on-cpanel/ […]

Leave a Reply