Troubleshooting Information

Bob McDonald bmcdonaldjr at gmail.com
Wed Aug 26 09:52:36 UTC 2015 

Bind 9 provides configurable hosts within the chaos class which can be
queried to provide troubleshooting infornation. They are:

version.bind
hostname.bind

These are all configurable within the options block of the DNS
configuration file. In the past, the suggestion was to specify something
other than the actual version, obscuring the version information and
misleading would be hackers. The other option is to specify version none;
and hostname none; effectively turning them off. (Notice none is specified
without quotes) My contention is that by allowing version and hostname to
default, Bind 9 will produce some useful troubleshooting information.
(Currently running version information of Bind 9 and the hostname of the
host on which it is running) This can be queried via a dig request to class
chaos, type txt as below:

dig version.bind ch txt +norecurse

This is especially useful information to know when troubleshooting a device
that lives within an anycast cloud.

Specifying the options as described above yeilds useful information about
servers to troubleshooters. However, it also yields the same information to
any inquisitve client that can access the DNS device. While that may not be
an issue on inside networks, it poses a major security hole for DNS devices
with access from the internet (authoritative and/or recursive edge
servers). To further lock this information down I would suggest adding the
following view statements to any internet facing DNS device configuration:

view "outsiders" chaos {
        match-clients { !127.0.0.1; !your-inside--nets; any; };
        allow-query { none; };
# we need a zone within a view and Bind complains on startup if there is no
hint file in classes
#  other than internet. (it is provided with the software for the internet
class)
        zone "." chaos {
                type hint;
                file "/dev/null";  // or any empty file
        };

};

This view excludes 127.0.0.1 and your inside network (specified in an ACL)
and matches every other address. This effectively negates queries to the
chaos class for addresses outisde of your network and allows them from
address you specify.

id.server is another host that can be queried in the chaos class. It
defaults to server-id none; in the options block of the configuration file.
See the Bind Version 9 Administrator's Reference Manual for more
information.

Caveats: This only works for appropriate levels of ISC Bind 9 software.
While it may work with other packages, I have not tested it. Also, this
example has not been vetted with IPv6. This is an example only. It implies
no gaurantee of security. Any errors, especially in spelling or grammar,
are par for the course. I code for a living, I don't write.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150826/d344e054/attachment.html>

More information about the bind-users mailing list