Open Resolver Handling with Bind on CentOS 5.x cannot Update to 9.7[Workaround][Old]

Edit: This information is old and may longer be relevant.

An open resolver is a DNS server, which will allow a recursive query of an arbitrary domain from any IP address. An open resolver can be used in a reflection DDoS. Only Subnets controlled by the organization should be allowed to conduct recursive queries on a DNS server. [1]

The problem is bind comes from Red Hat, which has locked the 5.x version to the older bind 9.3. There is a way to get over to bind 9.7 but it is a bit beyond our scope of support. Once you get over to bind 9.7 cPanel will work with it just fine, but you have to move it over. Alternatively, you could just move to CentOS 6.

WARNING THESE HAVE NOT BEEN TESTED BEYOND BASIC TESTING

-bash-3.2# cp -Rf /var/named/ /var/named.bak
-bash-3.2# /scripts/update_local_rpm_versions –edit target_settings.named uninstalled
-bash-3.2# /scripts/update_local_rpm_versions –edit target_settings.bind uninstalled

-bash-3.2# rpm -e bind bind-utils bind-devel bind-libs caching-nameserver

At this point you have bind out but you need to get the new version installed.  

-bash-3.2# yum -y install bind97 bind97-libs bind97-utils bind97-devel
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
* base: mirror.anl.gov
* extras: mirror.rackspace.com
* updates: mirrors.finalasp.com
Excluding Packages in global exclude list
Finished
Setting up Install Process
Resolving Dependencies
–> Running transaction check
—> Package bind97.i386 32:9.7.0-17.P2.el5_9.1 set to be updated
—> Package bind97-devel.i386 32:9.7.0-17.P2.el5_9.1 set to be updated
—> Package bind97-libs.i386 32:9.7.0-17.P2.el5_9.1 set to be updated
—> Package bind97-utils.i386 32:9.7.0-17.P2.el5_9.1 set to be updated
–> Finished Dependency Resolution

Dependencies Resolved

=======================================================================
Package Arch Version Repository Size
=======================================================================
Installing:
bind97 i386 32:9.7.0-17.P2.el5_9.1 updates 3.5 M
bind97-devel i386 32:9.7.0-17.P2.el5_9.1 updates 326 k
bind97-libs i386 32:9.7.0-17.P2.el5_9.1 updates 885 k
bind97-utils i386 32:9.7.0-17.P2.el5_9.1 updates 188 k

Transaction Summary
=======================================================================
Install 4 Package(s)
Upgrade 0 Package(s)

Total download size: 4.8 M
Downloading Packages:
(1/4): bind97-utils-9.7.0-17.P2.el5_9.1.i386.rpm | 188 kB 00:00
(2/4): bind97-devel-9.7.0-17.P2.el5_9.1.i386.rpm | 326 kB 00:01
(3/4): bind97-libs-9.7.0-17.P2.el5_9.1.i386.rpm | 885 kB 00:02
(4/4): bind97-9.7.0-17.P2.el5_9.1.i386.rpm | 3.5 MB 00:04
———————————————————————–
Total 567 kB/s | 4.8 MB 00:08
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : bind97-libs 1/4
Installing : bind97 2/4
Installing : bind97-devel 3/4
Installing : bind97-utils 4/4

Installed:
bind97.i386 32:9.7.0-17.P2.el5_9.1 bind97-devel.i386 32:9.7.0-17.P2.el5_9.1
bind97-libs.i386 32:9.7.0-17.P2.el5_9.1 bind97-utils.i386 32:9.7.0-17.P2.el5_9.1

Complete!

This gets you over to the new version. You now need to cd in /var/named to ensure your zone files are there. If they are you’re a short

/usr/local/cpanel/scripts/rebuilddnsconfig

away from your update. If they’re missing copy them over from your backup you made at the start. They shouldn’t get moved but it’s worth testing before you go crazy looking for them. Restart named and you can check if your update worked via the status command.

-bash-3.2# /etc/init.d/named status
WARNING: key file (/etc/rndc.key) exists, but using default configuration file (/etc/rndc.conf)
version: 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.1
CPUs found: 1
worker threads: 1
number of zones: 16
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
named (pid 3695) is running…

That is it, you should be up and running!

[1] http://www.practicalsysadmin.com/wiki/index.php/Open_resolvers

This entry was posted in Tips & Tricks. Bookmark the permalink.
  • Travis

    There are a few more lines you should add to the exclude to make things work with the updates.

    /scripts/update_local_rpm_versions –edit target_settings.bind uninstalled

    /scripts/update_local_rpm_versions –edit target_settings.bind-devel uninstalled

    /scripts/update_local_rpm_versions –edit target_settings.bind-libs uninstalled

    /scripts/update_local_rpm_versions –edit target_settings.bind-utils uninstalled

    /scripts/update_local_rpm_versions –edit target_settings.caching-nameserver uninstalled

  • https://openid.stackexchange.com/user/2f60c68c-3d17-43b0-858b-0661cfd5bafa mysticeti

    Any thoughts on how to avoid the upcp package conflicts?

    • http://twitter.com/bmurts Brendan Murtagh

      Hey mysticeti, I ended up rolling back and pretty much just reversed those steps. I ran into a a little issue because during the bind97 install, I needed to install both i386 and x86_64 packages, but after that, I reinstalled and rebuilt the DNS using usr/local/cpanel/scripts/rebuilddnsconfig

      After that was all complete, I was able to update cPanel/WHM to the latest release without error.

      In all honesty, the conflicts should be addressed in this blog post or the post should be removed since this post causes more trouble than it is worth.

  • http://twitter.com/bmurts Brendan Murtagh

    The problem with this is when cPanel attempts to perform an update and you receive failure notifications because of bind vs bind97 conflicts. How do you propose those conflicts are corrected or what are the rollback procedures?

    [20130416.032156] —> Package bind.x86_64 30:9.3.6-20.P1.el5_8.6 set to be updated
    [20130416.032157] —> Package bind-devel.i386 30:9.3.6-20.P1.el5_8.6 set to be updated
    [20130416.032157] —> Package bind-devel.x86_64 30:9.3.6-20.P1.el5_8.6 set to be updated
    [20130416.032157] —> Package bind-libs.i386 30:9.3.6-20.P1.el5_8.6 set to be updated
    [20130416.032157] —> Package bind-libs.x86_64 30:9.3.6-20.P1.el5_8.6 set to be updated
    [20130416.032157] —> Package bind-utils.x86_64 30:9.3.6-20.P1.el5_8.6 set to be updated
    [20130416.032157] —> Package caching-nameserver.x86_64 30:9.3.6-20.P1.el5_8.6 set to be updated
    [20130416.032159] –> Processing Conflict: bind97-utils conflicts bind-utils
    [20130416.032159] –> Processing Conflict: bind97-libs conflicts bind-libs
    [20130416.032159] –> Processing Conflict: bind97-libs conflicts bind-libs
    [20130416.032159] –> Processing Conflict: bind97 conflicts bind
    [20130416.032159] –> Processing Conflict: bind97 conflicts caching-nameserver
    [20130416.032159] –> Processing Conflict: bind97-devel conflicts bind-devel
    [20130416.032159] –> Processing Conflict: bind97-devel conflicts bind-devel
    [20130416.032159] –> Processing Conflict: bind97-libs conflicts bind-libs
    [20130416.032159] –> Processing Conflict: bind97-libs conflicts bind-libs
    [20130416.032159] –> Processing Conflict: bind97-devel conflicts bind-devel
    [20130416.032159] –> Processing Conflict: bind97-devel conflicts bind-devel