nessus scan reveals vulnerability on port domain (53/tcp)

Kevin Darcy kcd at daimlerchrysler.com
Mon Jan 29 23:59:13 UTC 2001 

allow-recursion { localnets; };

allow-recursion { 10/8; };

You can, of course, associate names with arbitrary addresses, address ranges
and/or address prefixes. For instance, on some of my firewalls I have

allow-recursion { extranet; };

where "extranet" is an "acl" I define myself (as opposed to the built-in "acl"s
like "localnets").

By the way, you should upgrade to at least BIND 8.2.3 because of the security
vulnerability that was just fixed.


- Kevin

Rick Updegrove wrote:

> Hello, below is a nessus generated scan which suggests that I "Restrict
> recursive queries to the hosts that should use this nameserver (such as
> those of the LAN connected to it).  If you are using bind 8, you can do this
> by using the instruction 'allow-recursion' in the 'options' section of your
> named.conf
>
> I tried at least 3 ways of adding that - all of which errored on restart.
> Does anyone have a working example?   Thanks. <By the way I upgraded the
> version already to the reccomended upgrade version>
>
> Vulnerability found on port domain (53/tcp)
>
>   The remote BIND server, according to its
>   version number, is vulnerable to the ZXFR
>   bug that allows an attacker to disable it
>   remotely.
>
>   Solution : upgrade to bind 8.2.2-P7
>   Risk factor : High
>
> [ back to the list of ports ]
> Warning found on port domain (53/tcp)
>
>   The remote name server allows recursive queries to be performed
>   by the host running nessusd.
>
>   If this is your internal nameserver, then forget this warning.
>
>   <This was a remote scan to my nameserver>
>
>   If you are probing a remote nameserver, then it allows anyone
>   to use it to resolve third parties names (such as www.nessus.org).
>   This allows hackers to do cache poisoning attacks against this
>   nameserver.
>
>   Solution : Restrict recursive queries to the hosts that should
>   use this nameserver (such as those of the LAN connected to it).
>   If you are using bind 8, you can do this by using the instruction
>   'allow-recursion' in the 'options' section of your named.conf
>
>   If you are using another name server, consult its documentation.
>
>   Risk factor : Serious
>
> Information found on port domain (53/tcp)
>
>   The remote bind version is : 8.2.2-P5
>
>   < I did upgrade this >

More information about the bind-users mailing list