Article ID: 6569, created on Aug 4, 2009, last review on May 5, 2014

  • Applies to:
  • H-Sphere

Symptoms

Parallels H-Sphere Control Panel can not pass PCI (payment card industry) scan because off the following security warning found on  port/service "domain (53/udp)": "Useable remote name server"

Resolution

Restrict recursive queries to the hosts that should use this nameserver  (such as those of the LAN connected to it). If you are using bind 8, you can do this by using the instruction 'allow-recursion' in the 'options' section of your named.conf If you are using bind 9, you can define a grouping of internal addresses using the 'acl' command Then, within the options block, you can explicitly state:
'allowrecursion { hosts_defined_in_acl }'
If you are using another name server, consult its documentation.

Access control list string can be generated with the following command:
# echo "acl clusterip{127.0.0.1;`hsinfo -i -g all| tr '\n' ';'`};"

Just add output into the named.conf, edit "allow-recursion" option to use 'clusterip' ACL, and restart named.

Changes in the named.conf should looks like:

# diff /etc/named.conf.orig /etc/named.conf
4c4
<         allow-recursion { any; };
---
 >         allow-recursion { clusterip; };
53a54
 > acl clusterip{127.0.0.1;<IP1>;<IP2>;<IPn>;};

To restart named please run:

/etc/init.d/named restart - Linux
/usr/local/etc/rc.d/named.sh restart - FreeBSD

f213b9fa8759d57bee5d547445806fe7 6311ae17c1ee52b36e68aaf4ad066387

Email subscription for changes to this article
Save as PDF