Solved

Query regardind BIND

Posted on 2012-04-04
9
512 Views
Last Modified: 2012-04-19
Hello,

I have RHEL 5.7 server running BIND in caching only mode. i need to apply security changes on BIND server as per below requirement. Please help.

1. How do i prevent cache poisoning ?
2. What are all the log levels available in BIND and how do i configure it.
3. How do i hide the BIND version
4. how do i disable Dynamic DNS updates.
0
Comment
Question by:sudhirgoogle
  • 5
  • 4
9 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 37806349
First, find out if you're vulnerable:

   dig +short @YOUR_NAME_SERVER_IP porttest.dns-oarc.net TXT

If you are vulnerable, this requires an update.  How did you install bind?  Via source or yum/apt-get/RHEL channel?
0
 
LVL 1

Author Comment

by:sudhirgoogle
ID: 37806367
the server is on INTRANET, so i get " connection timed out; no servers could be reached"
I typed the command like this 'dig +short @10.16.123.113 porttest.dns-oarc.net TXT'.


bind-9.3.6-16.P1.el5 is the version the server has.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 37806414
Did you install bind from the RHEL channel, via source or using yum?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 37806436
For clarification:

  if you get your updates using your RHEL subscription, check for updates
    # up2date --dry-run -nox

  if you installed from source, go to www.isc.org and download your preferred package

  if you installed via another channel
    # yum check-update

And if you installed using your RHEL subscription, do you still have it?
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 1

Author Comment

by:sudhirgoogle
ID: 37806475
thanks for your quick response. I believe it is installed via RHEL 5.7 DVD ISO. May know the reason for upgrading the bind package ?? i am not authorized to suggest for the upgrade. All I need is answers for my below queries,

1. How do i prevent cache poisoning ?
2. What are all the log levels available in BIND and how do i configure it ?
3. How do i hide the BIND version ?
4. how do i disable Dynamic DNS updates ?
0
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 500 total points
ID: 37806629
You prevent cache poisoning by only allowing trusted networks to reach your DNS server (which really only limits your exposure) or by upgrading your software

Log levels in bind are maintained in the named.conf file.  If you are not chrooted, that file is located in /etc.  If you are chrooted, it is usually located in /var/named/chroot/etc.

In the options section of named.conf, you can specify the version (or alternate wording).
    version = "some string here";

To disable DDNS, within named.conf and in the zone configuration section, add this statement:      
    allow-update { none; };

    It would look like this:

   zone "example.com" {
      type master;
      file "masters/example.com";
      allow-query { any; };
      allow-update { none; };
   }
0
 
LVL 1

Author Comment

by:sudhirgoogle
ID: 37806696
to prevent cache poisoning which version of bind upgrade require ?

Log levels in bind -> what is the parameter and its values ?

Currently in named.conf file it doesn't have version entry, will it still expose the bind version info ??

if i don't explicitly mention 'allow-update { none; };' in zone information will it allow DDNS updates ??
 
I mean if my zone info is like below then will it allow DDNS ?

      zone "example.com" {
      type master;
      file "masters/example.com";
      allow-query { any; };
        }
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 37806863
If you are going to upgrade bind, I would recommend at least 9.8.1-P1 or 9.9 from source.

Here is an example of the various logs and the log level:

logging {
        channel default_syslog {
                syslog daemon;
                severity info;
        };

        channel audit_log {
                file "/logs/named.log";
                severity info;
                print-time yes;
        };

        category default { default_syslog; };
        category general { default_syslog; };
        category security { audit_log; };
        category config { audit_log; };
        category resolver { default_syslog; };
        category xfer-in { audit_log; };
        category xfer-out { audit_log; };
        category notify { audit_log; };
        category client { default_syslog; };
        category network { audit_log; };
        category update { default_syslog; };
        category queries { default_syslog; };
        category lame-servers { default_syslog; };
};

The version info that I gave is incorrect.  It should read within the options section of named.conf
     version "something";

No you will not be exposed.  Test it:
     dig @YOUR_SERVER_IP chaos txt version.bind

As far as allowed updates, by default bind 8 and bind 9 do no allow dynamic updates to authoritative zones.
0
 
LVL 1

Author Closing Comment

by:sudhirgoogle
ID: 37864862
Thanks.
0

Featured Post

Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now