Logging version.bind queries
Jim Reid
jim at rfc1035.com
Mon Feb 26 11:17:28 UTC 2001
>>>>> "Michael" == Michael S Scheidell <scheidell at caerulus.cerintha.com> writes:
Michael> Shortly after the announcment by CERT of the buffer
Michael> overflow exploit in Bind versions we began to see a lot
Michael> of 'denied query' for 'version.bind'
Michael> This was due to our acl's that limit queries to our
Michael> inside networks.
Michael> options { allow-query { friends; } ; };
what do you do about perfectly valid queries from other name servers,
like those who are trying to resolve (say) your MX records?
Michael> or if you want to log version.bind queries (to see who is
Michael> trying to overflow YOUR buffers:)
If someone is going to mount a buffer overflow attack on a name server,
they don't need to know or care about the BIND version. There's no
need to query for version.bind first (or believe the answer that's
returned). And the buffer overflow attacks that have been published
don't overflow a version.bind query as the ISC's web site makes clear.
More information about the bind-users
mailing list