?
Solved

Query regardind BIND

Posted on 2012-04-04
9
Medium Priority
?
523 Views
Last Modified: 2012-04-19
Hello,

I have RHEL 5.7 server running BIND in caching only mode. i need to apply security changes on BIND server as per below requirement. Please help.

1. How do i prevent cache poisoning ?
2. What are all the log levels available in BIND and how do i configure it.
3. How do i hide the BIND version
4. how do i disable Dynamic DNS updates.
0
Comment
Question by:sudhirgoogle
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 37806349
First, find out if you're vulnerable:

   dig +short @YOUR_NAME_SERVER_IP porttest.dns-oarc.net TXT

If you are vulnerable, this requires an update.  How did you install bind?  Via source or yum/apt-get/RHEL channel?
0
 
LVL 1

Author Comment

by:sudhirgoogle
ID: 37806367
the server is on INTRANET, so i get " connection timed out; no servers could be reached"
I typed the command like this 'dig +short @10.16.123.113 porttest.dns-oarc.net TXT'.


bind-9.3.6-16.P1.el5 is the version the server has.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 37806414
Did you install bind from the RHEL channel, via source or using yum?
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 29

Expert Comment

by:Jan Springer
ID: 37806436
For clarification:

  if you get your updates using your RHEL subscription, check for updates
    # up2date --dry-run -nox

  if you installed from source, go to www.isc.org and download your preferred package

  if you installed via another channel
    # yum check-update

And if you installed using your RHEL subscription, do you still have it?
0
 
LVL 1

Author Comment

by:sudhirgoogle
ID: 37806475
thanks for your quick response. I believe it is installed via RHEL 5.7 DVD ISO. May know the reason for upgrading the bind package ?? i am not authorized to suggest for the upgrade. All I need is answers for my below queries,

1. How do i prevent cache poisoning ?
2. What are all the log levels available in BIND and how do i configure it ?
3. How do i hide the BIND version ?
4. how do i disable Dynamic DNS updates ?
0
 
LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 1500 total points
ID: 37806629
You prevent cache poisoning by only allowing trusted networks to reach your DNS server (which really only limits your exposure) or by upgrading your software

Log levels in bind are maintained in the named.conf file.  If you are not chrooted, that file is located in /etc.  If you are chrooted, it is usually located in /var/named/chroot/etc.

In the options section of named.conf, you can specify the version (or alternate wording).
    version = "some string here";

To disable DDNS, within named.conf and in the zone configuration section, add this statement:      
    allow-update { none; };

    It would look like this:

   zone "example.com" {
      type master;
      file "masters/example.com";
      allow-query { any; };
      allow-update { none; };
   }
0
 
LVL 1

Author Comment

by:sudhirgoogle
ID: 37806696
to prevent cache poisoning which version of bind upgrade require ?

Log levels in bind -> what is the parameter and its values ?

Currently in named.conf file it doesn't have version entry, will it still expose the bind version info ??

if i don't explicitly mention 'allow-update { none; };' in zone information will it allow DDNS updates ??
 
I mean if my zone info is like below then will it allow DDNS ?

      zone "example.com" {
      type master;
      file "masters/example.com";
      allow-query { any; };
        }
0
 
LVL 29

Accepted Solution

by:
Jan Springer earned 1500 total points
ID: 37806863
If you are going to upgrade bind, I would recommend at least 9.8.1-P1 or 9.9 from source.

Here is an example of the various logs and the log level:

logging {
        channel default_syslog {
                syslog daemon;
                severity info;
        };

        channel audit_log {
                file "/logs/named.log";
                severity info;
                print-time yes;
        };

        category default { default_syslog; };
        category general { default_syslog; };
        category security { audit_log; };
        category config { audit_log; };
        category resolver { default_syslog; };
        category xfer-in { audit_log; };
        category xfer-out { audit_log; };
        category notify { audit_log; };
        category client { default_syslog; };
        category network { audit_log; };
        category update { default_syslog; };
        category queries { default_syslog; };
        category lame-servers { default_syslog; };
};

The version info that I gave is incorrect.  It should read within the options section of named.conf
     version "something";

No you will not be exposed.  Test it:
     dig @YOUR_SERVER_IP chaos txt version.bind

As far as allowed updates, by default bind 8 and bind 9 do no allow dynamic updates to authoritative zones.
0
 
LVL 1

Author Closing Comment

by:sudhirgoogle
ID: 37864862
Thanks.
0

Featured Post

Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question