Solved

Query regardind BIND

Posted on 2012-04-04
9
518 Views
Last Modified: 2012-04-19
Hello,

I have RHEL 5.7 server running BIND in caching only mode. i need to apply security changes on BIND server as per below requirement. Please help.

1. How do i prevent cache poisoning ?
2. What are all the log levels available in BIND and how do i configure it.
3. How do i hide the BIND version
4. how do i disable Dynamic DNS updates.
0
Comment
Question by:sudhirgoogle
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 37806349
First, find out if you're vulnerable:

   dig +short @YOUR_NAME_SERVER_IP porttest.dns-oarc.net TXT

If you are vulnerable, this requires an update.  How did you install bind?  Via source or yum/apt-get/RHEL channel?
0
 
LVL 1

Author Comment

by:sudhirgoogle
ID: 37806367
the server is on INTRANET, so i get " connection timed out; no servers could be reached"
I typed the command like this 'dig +short @10.16.123.113 porttest.dns-oarc.net TXT'.


bind-9.3.6-16.P1.el5 is the version the server has.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 37806414
Did you install bind from the RHEL channel, via source or using yum?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 29

Expert Comment

by:Jan Springer
ID: 37806436
For clarification:

  if you get your updates using your RHEL subscription, check for updates
    # up2date --dry-run -nox

  if you installed from source, go to www.isc.org and download your preferred package

  if you installed via another channel
    # yum check-update

And if you installed using your RHEL subscription, do you still have it?
0
 
LVL 1

Author Comment

by:sudhirgoogle
ID: 37806475
thanks for your quick response. I believe it is installed via RHEL 5.7 DVD ISO. May know the reason for upgrading the bind package ?? i am not authorized to suggest for the upgrade. All I need is answers for my below queries,

1. How do i prevent cache poisoning ?
2. What are all the log levels available in BIND and how do i configure it ?
3. How do i hide the BIND version ?
4. how do i disable Dynamic DNS updates ?
0
 
LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 500 total points
ID: 37806629
You prevent cache poisoning by only allowing trusted networks to reach your DNS server (which really only limits your exposure) or by upgrading your software

Log levels in bind are maintained in the named.conf file.  If you are not chrooted, that file is located in /etc.  If you are chrooted, it is usually located in /var/named/chroot/etc.

In the options section of named.conf, you can specify the version (or alternate wording).
    version = "some string here";

To disable DDNS, within named.conf and in the zone configuration section, add this statement:      
    allow-update { none; };

    It would look like this:

   zone "example.com" {
      type master;
      file "masters/example.com";
      allow-query { any; };
      allow-update { none; };
   }
0
 
LVL 1

Author Comment

by:sudhirgoogle
ID: 37806696
to prevent cache poisoning which version of bind upgrade require ?

Log levels in bind -> what is the parameter and its values ?

Currently in named.conf file it doesn't have version entry, will it still expose the bind version info ??

if i don't explicitly mention 'allow-update { none; };' in zone information will it allow DDNS updates ??
 
I mean if my zone info is like below then will it allow DDNS ?

      zone "example.com" {
      type master;
      file "masters/example.com";
      allow-query { any; };
        }
0
 
LVL 29

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 37806863
If you are going to upgrade bind, I would recommend at least 9.8.1-P1 or 9.9 from source.

Here is an example of the various logs and the log level:

logging {
        channel default_syslog {
                syslog daemon;
                severity info;
        };

        channel audit_log {
                file "/logs/named.log";
                severity info;
                print-time yes;
        };

        category default { default_syslog; };
        category general { default_syslog; };
        category security { audit_log; };
        category config { audit_log; };
        category resolver { default_syslog; };
        category xfer-in { audit_log; };
        category xfer-out { audit_log; };
        category notify { audit_log; };
        category client { default_syslog; };
        category network { audit_log; };
        category update { default_syslog; };
        category queries { default_syslog; };
        category lame-servers { default_syslog; };
};

The version info that I gave is incorrect.  It should read within the options section of named.conf
     version "something";

No you will not be exposed.  Test it:
     dig @YOUR_SERVER_IP chaos txt version.bind

As far as allowed updates, by default bind 8 and bind 9 do no allow dynamic updates to authoritative zones.
0
 
LVL 1

Author Closing Comment

by:sudhirgoogle
ID: 37864862
Thanks.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question