[TUTORIAL] Parallels Plesk update all domain zones at once

I had to change all SPF records for a client today from the Parallels Plesk default : “v=spf1 +a +mx -all” to something like “v=spf1 a mx a:server.name.tld -all” and the fun part was that the customer had something like 50+ domains on his server.

Since the Parallels Plesk Panel holds 99.99% of it’s data in the psa database, DNS settings are stored there as well, in two tables.

  • dns_recs_t which holds the DNS template information, and
  • dns_recs which holds the actual domain information.

I started with changing the template, then the domains info:

-bash-3.2# mysql -u admin -p`cat /etc/psa/.psa.shadow`
mysql> USE psa;
mysql> UPDATE dns_recs_t SET val = ‘v=spf1 a mx a:server.name.tld -all’ WHERE val = ‘v=spf1 +a +mx -all’;
mysql> UPDATE dns_recs_t SET displayVal = ‘v=spf1 a mx a:server.name.tld -all’ WHERE displayVal = ‘v=spf1 +a +mx -all’;
mysql> UPDATE dns_recs SET val = ‘v=spf1 a mx a:server.name.tld -all’ WHERE val = ‘v=spf1 +a +mx -all’;
mysql> UPDATE dns_recs SET displayVal = ‘v=spf1 a mx a:server.name.tld -all’ WHERE displayVal = ‘v=spf1 +a +mx -all’;

you can now check the records if they match:

mysql> SELECT FROM dns_recs WHERE val LIKE ‘%spf%’;
mysql> SELECT FROM dns_recs_t WHERE val LIKE ‘%spf%’;

If you got what you were looking for, now you need to change the actual DNS zone files using the dnsmng utility provided by Parallels Plesk Panel. I used the following script:

-bash-3.2# vi dns_update.sh

ADMIN_PASS=`cat /etc/psa/.psa.shadow`
MYSQL_BIN_D=`grep MYSQL_BIN_D /etc/psa/psa.conf | awk ‘{print $2}’`
mysql="${MYSQL_BIN_D}/mysql -N -uadmin -p${ADMIN_PASS} psa"

query="select name from domains;"
domains=`echo $query | $mysql `

for i in ${domains}; do
    echo "found $i"
    /usr/local/psa/admin/sbin/dnsmng update $i
    echo "zone for $i updated"

Then just run the script:

-bash-3.2# sh dns_update.sh

Now all you have to do is a final check in the zones directory, I did something like:

-bash-3.2# cd /var/named/run-root/var
-bash-3.2# grep -i spf *

Have fun, and use the above at your own risk.

DNS vulnerability

Guys and girls, get your nameservers secured ASAP.

The DNS vulnerability everyone was talking about leaked on the internet, and I’m sure someone somewhere is already writing up code to take advantage of it…

Full story here.

Paul Vixie, the CEO of ISC (developers of bind/named), developer of CRON, who writes every so often on his circleid.com account made a short FAQ about the vulnerability:

Reactions have been mixed, but overall, negative. As the coordinator of the combined vendor response, I’ve heard plenty of complaints, and I’ve watched as Dan Kaminsky has been called an idiot for how he managed the disclosure. Let me try to respond a little here, without verging into taking any of this personally.

Q: “This is the same attack as <X> described way back in <Y>.”
A: No, it’s not.

Q: “You’re just fear-mongering, we already knew DNS was terribly insecure.”
A: Everything we thought we knew was wrong.

Q: “I think Dan’s new attack is <Z>.”
A: If you guess right, you can control the schedule, is that what you want?

Q: “I think Dan should have just come right out and described the attack.”
A: Do you mind if we patch the important parts of the infrastructure first?

Q: “Why wasn’t I brought into the loop?”
A: Management of trusted communications is hard. No offense was intended.

Full article here.

And you can check your ISP’s nameservers from this page: https://www.dns-oarc.net/oarc/services/dnsentropy You need to look at that test for port randomization, and you need to be above average to be safe. Beware that refreshing the test page will not show up *new* results, even if you make changes to your nameservers, so you need to go back to the prior link, and click on “Test my DNS” again.

This is serious folks!

Free DNS checks

A while ago, dnsstuff.org, the site I used to check everything related to DNS got off the freeware market and they started a paid service, which, no doubt is good, please pay for it if you still want to use them, but I want to give you a few alternatives.

Of course you have the shell command line tools like nslookup, dig and whois but those are not for the faint of heart, so below you have some online alternatives:

The first, is IntoDNS.com (which I wrote about here in January) does a full DNS checkup of a domain.

The ones who want more than this, can use dnsutils.org, which allows users to do the following:

  • Reverse DNS
  • Ping Host/IP
  • FQDN based DNS Lookup (A, AAA, SOA, CNAME, NS, MX)
  • CIDR Calculator
  • IPV6 Compression
  • IPV6 Expansion
  • RBL Lookup
  • transform IPv4 into binary and back
  • transform IPv6 into bin and back

Quite a good service offered by Jonas Genannt <jonas (AT) dnsutils (DOT) org>.