cPanel® Blog

Open Resolver Handling with Bind on CentOS 5.x cannot Update to 9.7[Workaround][Old]

Edit: This information is old and may longer be relevant.

An open resolver is a DNS server, which will allow a recursive query of an arbitrary domain from any IP address. An open resolver can be used in a reflection DDoS. Only Subnets controlled by the organization should be allowed to conduct recursive queries on a DNS server. [1]

The problem is bind comes from Red Hat, which has locked the 5.x version to the older bind 9.3. There is a way to get over to bind 9.7 but it is a bit beyond our scope of support. Once you get over to bind 9.7 cPanel will work with it just fine, but you have to move it over. Alternatively, you could just move to CentOS 6.

WARNING THESE HAVE NOT BEEN TESTED BEYOND BASIC TESTING

-bash-3.2# cp -Rf /var/named/ /var/named.bak
-bash-3.2# /scripts/update_local_rpm_versions –edit target_settings.named uninstalled
-bash-3.2# /scripts/update_local_rpm_versions –edit target_settings.bind uninstalled

-bash-3.2# rpm -e bind bind-utils bind-devel bind-libs caching-nameserver

At this point you have bind out but you need to get the new version installed.  

-bash-3.2# yum -y install bind97 bind97-libs bind97-utils bind97-devel
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
* base: mirror.anl.gov
* extras: mirror.rackspace.com
* updates: mirrors.finalasp.com
Excluding Packages in global exclude list
Finished
Setting up Install Process
Resolving Dependencies
–> Running transaction check
—> Package bind97.i386 32:9.7.0-17.P2.el5_9.1 set to be updated
—> Package bind97-devel.i386 32:9.7.0-17.P2.el5_9.1 set to be updated
—> Package bind97-libs.i386 32:9.7.0-17.P2.el5_9.1 set to be updated
—> Package bind97-utils.i386 32:9.7.0-17.P2.el5_9.1 set to be updated
–> Finished Dependency Resolution

Dependencies Resolved

=======================================================================
Package Arch Version Repository Size
=======================================================================
Installing:
bind97 i386 32:9.7.0-17.P2.el5_9.1 updates 3.5 M
bind97-devel i386 32:9.7.0-17.P2.el5_9.1 updates 326 k
bind97-libs i386 32:9.7.0-17.P2.el5_9.1 updates 885 k
bind97-utils i386 32:9.7.0-17.P2.el5_9.1 updates 188 k

Transaction Summary
=======================================================================
Install 4 Package(s)
Upgrade 0 Package(s)

Total download size: 4.8 M
Downloading Packages:
(1/4): bind97-utils-9.7.0-17.P2.el5_9.1.i386.rpm | 188 kB 00:00
(2/4): bind97-devel-9.7.0-17.P2.el5_9.1.i386.rpm | 326 kB 00:01
(3/4): bind97-libs-9.7.0-17.P2.el5_9.1.i386.rpm | 885 kB 00:02
(4/4): bind97-9.7.0-17.P2.el5_9.1.i386.rpm | 3.5 MB 00:04
———————————————————————–
Total 567 kB/s | 4.8 MB 00:08
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : bind97-libs 1/4
Installing : bind97 2/4
Installing : bind97-devel 3/4
Installing : bind97-utils 4/4

Installed:
bind97.i386 32:9.7.0-17.P2.el5_9.1 bind97-devel.i386 32:9.7.0-17.P2.el5_9.1
bind97-libs.i386 32:9.7.0-17.P2.el5_9.1 bind97-utils.i386 32:9.7.0-17.P2.el5_9.1

Complete!

This gets you over to the new version. You now need to cd in /var/named to ensure your zone files are there. If they are you’re a short

/usr/local/cpanel/scripts/rebuilddnsconfig

away from your update. If they’re missing copy them over from your backup you made at the start. They shouldn’t get moved but it’s worth testing before you go crazy looking for them. Restart named and you can check if your update worked via the status command.

-bash-3.2# /etc/init.d/named status
WARNING: key file (/etc/rndc.key) exists, but using default configuration file (/etc/rndc.conf)
version: 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.1
CPUs found: 1
worker threads: 1
number of zones: 16
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
named (pid 3695) is running…

That is it, you should be up and running!

[1] http://www.practicalsysadmin.com/wiki/index.php/Open_resolvers