• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 525
  • Last Modified:

Query regardind BIND

Hello,

I have RHEL 5.7 server running BIND in caching only mode. i need to apply security changes on BIND server as per below requirement. Please help.

1. How do i prevent cache poisoning ?
2. What are all the log levels available in BIND and how do i configure it.
3. How do i hide the BIND version
4. how do i disable Dynamic DNS updates.
0
sudhirgoogle
Asked:
sudhirgoogle
  • 5
  • 4
2 Solutions
 
Jan SpringerCommented:
First, find out if you're vulnerable:

   dig +short @YOUR_NAME_SERVER_IP porttest.dns-oarc.net TXT

If you are vulnerable, this requires an update.  How did you install bind?  Via source or yum/apt-get/RHEL channel?
0
 
sudhirgoogleAuthor Commented:
the server is on INTRANET, so i get " connection timed out; no servers could be reached"
I typed the command like this 'dig +short @10.16.123.113 porttest.dns-oarc.net TXT'.


bind-9.3.6-16.P1.el5 is the version the server has.
0
 
Jan SpringerCommented:
Did you install bind from the RHEL channel, via source or using yum?
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
Jan SpringerCommented:
For clarification:

  if you get your updates using your RHEL subscription, check for updates
    # up2date --dry-run -nox

  if you installed from source, go to www.isc.org and download your preferred package

  if you installed via another channel
    # yum check-update

And if you installed using your RHEL subscription, do you still have it?
0
 
sudhirgoogleAuthor Commented:
thanks for your quick response. I believe it is installed via RHEL 5.7 DVD ISO. May know the reason for upgrading the bind package ?? i am not authorized to suggest for the upgrade. All I need is answers for my below queries,

1. How do i prevent cache poisoning ?
2. What are all the log levels available in BIND and how do i configure it ?
3. How do i hide the BIND version ?
4. how do i disable Dynamic DNS updates ?
0
 
Jan SpringerCommented:
You prevent cache poisoning by only allowing trusted networks to reach your DNS server (which really only limits your exposure) or by upgrading your software

Log levels in bind are maintained in the named.conf file.  If you are not chrooted, that file is located in /etc.  If you are chrooted, it is usually located in /var/named/chroot/etc.

In the options section of named.conf, you can specify the version (or alternate wording).
    version = "some string here";

To disable DDNS, within named.conf and in the zone configuration section, add this statement:      
    allow-update { none; };

    It would look like this:

   zone "example.com" {
      type master;
      file "masters/example.com";
      allow-query { any; };
      allow-update { none; };
   }
0
 
sudhirgoogleAuthor Commented:
to prevent cache poisoning which version of bind upgrade require ?

Log levels in bind -> what is the parameter and its values ?

Currently in named.conf file it doesn't have version entry, will it still expose the bind version info ??

if i don't explicitly mention 'allow-update { none; };' in zone information will it allow DDNS updates ??
 
I mean if my zone info is like below then will it allow DDNS ?

      zone "example.com" {
      type master;
      file "masters/example.com";
      allow-query { any; };
        }
0
 
Jan SpringerCommented:
If you are going to upgrade bind, I would recommend at least 9.8.1-P1 or 9.9 from source.

Here is an example of the various logs and the log level:

logging {
        channel default_syslog {
                syslog daemon;
                severity info;
        };

        channel audit_log {
                file "/logs/named.log";
                severity info;
                print-time yes;
        };

        category default { default_syslog; };
        category general { default_syslog; };
        category security { audit_log; };
        category config { audit_log; };
        category resolver { default_syslog; };
        category xfer-in { audit_log; };
        category xfer-out { audit_log; };
        category notify { audit_log; };
        category client { default_syslog; };
        category network { audit_log; };
        category update { default_syslog; };
        category queries { default_syslog; };
        category lame-servers { default_syslog; };
};

The version info that I gave is incorrect.  It should read within the options section of named.conf
     version "something";

No you will not be exposed.  Test it:
     dig @YOUR_SERVER_IP chaos txt version.bind

As far as allowed updates, by default bind 8 and bind 9 do no allow dynamic updates to authoritative zones.
0
 
sudhirgoogleAuthor Commented:
Thanks.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now