Query regardind BIND

Hello,

I have RHEL 5.7 server running BIND in caching only mode. i need to apply security changes on BIND server as per below requirement. Please help.

1. How do i prevent cache poisoning ?
2. What are all the log levels available in BIND and how do i configure it.
3. How do i hide the BIND version
4. how do i disable Dynamic DNS updates.
LVL 1
sudhirgoogleAsked:
Who is Participating?
 
Jan SpringerCommented:
If you are going to upgrade bind, I would recommend at least 9.8.1-P1 or 9.9 from source.

Here is an example of the various logs and the log level:

logging {
        channel default_syslog {
                syslog daemon;
                severity info;
        };

        channel audit_log {
                file "/logs/named.log";
                severity info;
                print-time yes;
        };

        category default { default_syslog; };
        category general { default_syslog; };
        category security { audit_log; };
        category config { audit_log; };
        category resolver { default_syslog; };
        category xfer-in { audit_log; };
        category xfer-out { audit_log; };
        category notify { audit_log; };
        category client { default_syslog; };
        category network { audit_log; };
        category update { default_syslog; };
        category queries { default_syslog; };
        category lame-servers { default_syslog; };
};

The version info that I gave is incorrect.  It should read within the options section of named.conf
     version "something";

No you will not be exposed.  Test it:
     dig @YOUR_SERVER_IP chaos txt version.bind

As far as allowed updates, by default bind 8 and bind 9 do no allow dynamic updates to authoritative zones.
0
 
Jan SpringerCommented:
First, find out if you're vulnerable:

   dig +short @YOUR_NAME_SERVER_IP porttest.dns-oarc.net TXT

If you are vulnerable, this requires an update.  How did you install bind?  Via source or yum/apt-get/RHEL channel?
0
 
sudhirgoogleAuthor Commented:
the server is on INTRANET, so i get " connection timed out; no servers could be reached"
I typed the command like this 'dig +short @10.16.123.113 porttest.dns-oarc.net TXT'.


bind-9.3.6-16.P1.el5 is the version the server has.
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
Jan SpringerCommented:
Did you install bind from the RHEL channel, via source or using yum?
0
 
Jan SpringerCommented:
For clarification:

  if you get your updates using your RHEL subscription, check for updates
    # up2date --dry-run -nox

  if you installed from source, go to www.isc.org and download your preferred package

  if you installed via another channel
    # yum check-update

And if you installed using your RHEL subscription, do you still have it?
0
 
sudhirgoogleAuthor Commented:
thanks for your quick response. I believe it is installed via RHEL 5.7 DVD ISO. May know the reason for upgrading the bind package ?? i am not authorized to suggest for the upgrade. All I need is answers for my below queries,

1. How do i prevent cache poisoning ?
2. What are all the log levels available in BIND and how do i configure it ?
3. How do i hide the BIND version ?
4. how do i disable Dynamic DNS updates ?
0
 
Jan SpringerCommented:
You prevent cache poisoning by only allowing trusted networks to reach your DNS server (which really only limits your exposure) or by upgrading your software

Log levels in bind are maintained in the named.conf file.  If you are not chrooted, that file is located in /etc.  If you are chrooted, it is usually located in /var/named/chroot/etc.

In the options section of named.conf, you can specify the version (or alternate wording).
    version = "some string here";

To disable DDNS, within named.conf and in the zone configuration section, add this statement:      
    allow-update { none; };

    It would look like this:

   zone "example.com" {
      type master;
      file "masters/example.com";
      allow-query { any; };
      allow-update { none; };
   }
0
 
sudhirgoogleAuthor Commented:
to prevent cache poisoning which version of bind upgrade require ?

Log levels in bind -> what is the parameter and its values ?

Currently in named.conf file it doesn't have version entry, will it still expose the bind version info ??

if i don't explicitly mention 'allow-update { none; };' in zone information will it allow DDNS updates ??
 
I mean if my zone info is like below then will it allow DDNS ?

      zone "example.com" {
      type master;
      file "masters/example.com";
      allow-query { any; };
        }
0
 
sudhirgoogleAuthor Commented:
Thanks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.