Inspecting BIND security logs, etc.

[Simon Waters]

Forrest Aldrich wrote:
> 
> I would like to begin tracking "forwarded" packets on our DNS server --
> it's not clear to me that there is a way to determine this in the
> logs.   Something we might put into MRTG, perhaps.

Please explained "forwarded" packets a tad more. You mean
who your sending requests to? 

DNS queries do not related to directly to packets
necessarily (i.e. TCP), and caching, and truncation.

> Also:  with regards to security concerns, are there particular patterns in
> the BIND logs that we could scan for that would be indicative of "bad
> behavior" such as cache poisoning attempts, et al.   And is such
> information clear or vague about what it might be.

Kevin O'Neil once published a list of BIND error messages
(It's gone(?) from acmebw.com), I think it is on the ISC
site now. The copy in my Langfeldt Concise Guide to DNS and
BIND survives. This is a good source, the explanations
sometimes refer to attacks.

Most of the messages are clear if you have a good grasp of
what the DNS resolution procedure is;

unapproved update
unapproved query
Response from unexpected source

But most of these are self explanatory and the types of
attack probably well protected against in current software
releases.

New attacks will probably take a slightly different twist,
so if you have time I'd check out those "Bad referrals".
Indeed anything at all unusual from BIND is a cause for
concern, although it usually turns out to be incompetence
somewhere rather than malicious. So perhaps the focus should
be "what errors from BIND can be safely ignored" - I'd
ignore "lame server resolved" (if not one of your domains)
and check the rest.

More and more Unix's are letting you protect against weird
programming problems, like the Solaris block on executable
content on the stack. This has it's own syslog entry if
enabled, and is worth enabling on BIND servers I would think
(Never found a way to test it with BIND 9 on Solaris 8).

I'd be interested in other resources, and peoples
experiences with existing Intruder detection systems and
BIND, especially anything for BIND 9.

Some firewalls (I have to admit a vested interest as a
reseller of one such) understand the basics of a DNS
conversation, and will kill off packets from unexpected
sources, late responses, and other such dross (None DNS
traffic to port 53). Thus these show up in the firewall logs
rather than the BIND log, but hopefully someone is reading
those as well *8-).

Is there a resource anywhere that discusses logging CHAOS
class queries? These are typically used to identify server
version, and can indicate undue interest in your DNS
servers, or might just be someone surveying the Internet
landscape.