ISPConfig: 3 tips for safer DNS
On this server I am currently using ISPConfig to provide myself with a simple web interface for managing my domains, email and DNS etc. As with the majority of web based virtual-hosting interfaces ISPConfig needs a little tweaking to get running properly. A couple of weeks ago I noticed three possible issues regarding the default configuration of the DNS server.
By default ISPConfig writes the BIND config file with the bare minimum of options, literally enough to allow you to serve up information about your domains. This is how the developers intended things to work, and I agree with them. But I also feel that the majority of ISPConfig users probably don't want anyone to be able to use their DNS server to perform lookups on any domain, nor would they want their DNS to respond on any IP address that the server may have.
ISPConfig is relatively simple to understand once you start to poke under the bonnet. Each time you make a change to a domain, website, email account, etc. the configuration files are rewritten to the file-system from a default template, or "master file". This means that if you make any adjustments to a domain name then your BIND config file is going to lose any changes you have made manually.
Open up /etc/bind/named.conf in the text editor of your choice. Scroll all the way to the bottom and notice how ISPConfig has added the following
//// MAKE MANUAL ENTRIES BELOW THIS LINE! ////
Anything you enter here will remain intact when you make changes from the web interface. This is useful for adding domains that you may not want to control from the web, but not so good if you want to add to the options section (all the way at the top of the file).
In order to make manual adjustments to this section you'll need to change the actual template that ISPConfig is using to create the config file. cd to /root/ispconfig/isp/conf/ and have a look at the files in there. These are all the "master config" files, or templates, used each time a change is made.
apollo:~/ispconfig/isp/conf# ls
antivirus.rc.master openssl.cnf.master
autoresponder.rc.master pri.domain.master
bastille-firewall.cfg.master procmailrc.master
check_services.php.master proftpd_ispconfig.conf.master
customized_templates quota.rc.master
db.local.master reverse_zone.in-addr.arpa.master
db.root.master sendmail.cw.master
forward.master spamassassin.rc.master
freebsd_firewall.master trashscan.master
htaccess.master user_prefs.master
html-trap.rc.master vacation.msg.master
htpasswd.master vhost.conf.master
local-rules.rc.master virtusertable.master
mailsize.rc.master vsftpd.conf.master
named.conf.master
named.conf.master is the file needed for the bind config file, so open that in an editor. Inside the "options" braces add the following:
allow-recursion {
localhost;
};
This means that the DNS server will only provide a resolving service to localhost, allowing your websites and log parsers to resolve domains, but denying any public access. You could of course enter a private subnet, or a trusted set of IPs if you do want to allow some resolution.
Next, I added the following to ensure the DNS server was only responding to requests being made on my designated interface.
listen-on port 53 {
80.68.95.229;
127.0.0.1;
};
As a final good measure I thought I'd also limit which machines can perform an AXFR transfer. Again, inside of the options braces add the following, replacing the IP address with your slave's address (unless you too are with Bytemark). Please note: I'm not that familiar with AXFR, if anyone else is able provide a way for me to test that my DNS truly doesn't allow AXFR transfers to everyone i'd be very grateful/able to sleep at night.
allow-transfer {
80.68.88.52;
};
Finally, login to your control panel and make a change to one of your domains. Wait a minute and try out some changes. Open up your terminal and run some lookups.
rita:~ danieldavies$ nslookup www.danux.co.uk 80.68.95.229
Server: 80.68.95.229
Address: 80.68.95.229#53
Name: www.danux.co.uk
Address: 80.68.91.44
rita:~ danieldavies$ nslookup google.co.uk 80.68.95.229
Server: 80.68.95.229
Address: 80.68.95.229#53
Non-authoritative answer:
*** Can't find google.co.uk: No answer
rita:~ danieldavies$ nslookup www.danux.co.uk 80.68.95.225
;; connection timed out; no servers could be reached
Much better :) I recommend all ISPConfig users take a look through each of the config files. You are free to write them however you like, enabling or disabling what ever you want. I'll probably write some more about ISPConfig in the near future, including a report of my experiences making mod_python a hosting package option complete with form.
- Share This Article
- Comments Closed