Protecting bind from DNS cache poisoning!!!
Shiva Raman
I am running Bind caching and bind authoritative servers with current 9.7 version. I would like
to know the steps to be followed to protect bind from DNS Cache poisoning. The bind DNS server
is running behind the firewall which allows only DNS queries .
kindly share your views.
Thanks in advance.
Shiva Raman
Matthew Seaman
> I am running Bind caching and bind authoritative servers with current
> 9.7 version. I would like
> to know the steps to be followed to protect bind from DNS Cache poisoning.
> The bind DNS server
> is running behind the firewall which allows only DNS queries .
Run an up-to-date version of bind. Be fanatical about applying security
patches promptly.
Don't allow recursion /at all/ for queries from the general public to
your authoritative servers, nor permit authoritative servers to send
additional data from cache.
Permit only your trusted clients to make recursive queries through your
recursive servers.
If you have sufficient DNS traffic to warrant it, it is very good to run
completely separate instances of bind as authoritative and recursive
servers -- use of virtualization techniques like FreeBSD jails can help
reduce hardware costs.
Otherwise, make use of the views feature to control who may or may not
perform recursive queries via your servers.
Allow bind to use as wide a range of port numbers as possible for UDP
traffic.
Make sure your firewalls don't do daft things like forcing any DNS
traffic to come from a limited range of source ports, or blocking large
UDP packets or EDNS. Allow DNS queries over TCP as well as UDP.
Implement DNSSEC.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: mat...@infracaninophile.co.uk Kent, CT11 9PW
Matus UHLAR - fantomas
> >traffic.
On 09.08.10 17:14, Shiva Raman wrote:
> Yes this is allowed in the firewall.
note that bind also should not have "port" potion in query-source statement.
> > Make sure your firewalls don't do daft things like forcing any DNS
> >traffic to come from a limited range of source ports, or blocking large
> >UDP packets or EDNS. Allow DNS queries over TCP as well as UDP.
> Yes in firewall , both TCP and UDP DNS queries are allowed.
allowed is one part, not to have broken firewalls that inspect (and break)
DNS packets is another one.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I drive way too fast to worry about cholesterol.
Wolfgang Solfrank
>>> traffic.
>
> On 09.08.10 17:14, Shiva Raman wrote:
>> Yes this is allowed in the firewall.
>
> note that bind also should not have "port" potion in query-source statement.
In addition, be carefull with the use of NAT on your firewall. This will
probably unrandomize the port numbers on your outgoing requests.
Ciao,
Wolfgang
--
Wolf...@Solfrank.net Wolfgang Solfrank
Shiva Raman
Thanks for your valuable suggestions
>Run an up-to-date version of bind. Be fanatical about applying security
>patches promptly.
>Don't allow recursion /at all/ for queries from the general public to
>your authoritative servers, nor permit authoritative servers to send
>additional data from cache.
by you, i had disabled recursion to for the authoritative servers.
>Permit only your trusted clients to make recursive queries through your
>recursive servers.
>If you have sufficient DNS traffic to warrant it, it is very good to run
>completely separate instances of bind as authoritative and recursive
>servers -- use of virtualization techniques like FreeBSD jails can help
>reduce hardware costs.
>Allow bind to use as wide a range of port numbers as possible for UDP
>traffic.
>traffic to come from a limited range of source ports, or blocking large
>UDP packets or EDNS. Allow DNS queries over TCP as well as UDP.
Yes in firewall , both TCP and UDP DNS queries are allowed.
I tried implementing dnssec using the following document
http://blog.dustintrammell.com/2008/08/01/configuring-dnssec-in-bind/
After modifying named.conf for recursive server, i restarted named.
Now named is working with dnssec enabled .But i am not able to verify the same.
Kindly let me know how can we verify that dnssec is enabled and running , from the logs.
Tony Finch
>
> I tried implementing dnssec using the following document
> http://blog.dustintrammell.com/2008/08/01/configuring-dnssec-in-bind/
That is rather out of date: it does not cover some important BIND-9.7
DNSSEC validation features, specifically RFC 5011 automatic trust anchor
rollover, and it does not explain how to install the root trust anchor.
Also you do not need to explicitly turn on DNSSEC validation: it is on by
default but only works if you have configured one or more trust anchors.
Here is my recent how-to: http://fanf.livejournal.com/107310.html
Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/
NORTH FITZROY SOLE: WEST OR SOUTHWEST, BECOMING CYCLONIC IN SOLE, 4 OR 5,
INCREASING 5 TO 7. MODERATE OR ROUGH. RAIN. MODERATE OR GOOD, OCCASIONALLY
POOR.
Torsten
schrieb Wolfgang Solfrank <Wolf...@Solfrank.net>:
> >>> Allow bind to use as wide a range of port numbers as possible for
> >>> UDP traffic.
> >
> > On 09.08.10 17:14, Shiva Raman wrote:
> >> Yes this is allowed in the firewall.
> >
> > note that bind also should not have "port" potion in query-source
> > statement.
>
> In addition, be carefull with the use of NAT on your firewall. This
> will probably unrandomize the port numbers on your outgoing requests.
>
> Ciao,
> Wolfgang
Port deviation could easily be tested via porttest.dns-oarc.net
dig +short @127.0.0.1 porttest.dns-oarc.net txt
porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"195.180.9.198 is GREAT: 53 queries in 9.1 seconds from 53 ports with
std dev 19687"
Every result other than "GREAT" should alert you.
Also, checking wether DNSSEC is working or not, send a recursing querie
to your resolver and check the returned flags for ad.
[toto@daddelkiste ~]$ dig +dnssec @127.0.0.1 iis.se a
; <<>> DiG 9.6.2-P2-RedHat-9.6.2-5.P2.fc12 <<>> +dnssec @127.0.0.1
iis.se a ; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12422
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;iis.se. IN A
;; ANSWER SECTION:
iis.se. 21 IN A
212.247.7.218 iis.se. 21 IN
RRSIG A 5 2 60 20100815115001 20100805115001 53249 iis.se.
pWMYsqufhD4RkHX6IltLOcxMob3rNpc1+UnXZKgOMsO5HgbtIjALoq9+
ReqKziKev3PiEBLNdqrxT95TVlzVb7qgnLmlHABsap7m2uzuHFQKsFmh
RGxqpiuzu9bPEIfZKout4TmzILaP1Nua4ntSXyyjS35EUszfX+F/Mqrm fcc=
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug 9 14:35:37 2010
;; MSG SIZE rcvd: 217
Ciao
Torsten
Matus UHLAR - fantomas
>>>> traffic.
>>
>> On 09.08.10 17:14, Shiva Raman wrote:
>>> Yes this is allowed in the firewall.
>>
>> note that bind also should not have "port" potion in query-source statement.
On 09.08.10 14:08, Wolfgang Solfrank wrote:
> In addition, be carefull with the use of NAT on your firewall. This will
> probably unrandomize the port numbers on your outgoing requests.
this was mentioned in previous e-mail, I added that the BIND should also be
properly configured ;-)
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
If Barbie is so popular, why do you have to buy her friends?