Secure Bind DNS server problem
Arthur Stephens
astephens at ptera.net
Tue Apr 19 00:32:16 UTC 2005
I am trying to secure my DNS BIND version 9.2.5 servers so I found this
template
Secure BIND Template Version 4.8 12 APR 2005
By Rob Thomas, robt at cymru.com
After disabling these that complained at startup...
//pid-file "/var/named/named.pid";
//memstatistics-file "/var/named/named.memstats";
I got the server up and running. And successfully tested from inside.
But I noticed these in the logs right away.
Apr 18 13:46:11 daffy named[24498]: client 71.4.246.96#32770: query
'ptera.net/IN' denied
Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query
'mail.aiin.com/IN' denied
Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query
'mail.aiin.com/IN' denied
Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query
'dns2.ptera.net/IN' denied
Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query
'dns2.ptera.net/IN' denied
Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query
'dns.ptera.net/IN' denied
Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query
'dns.ptera.net/IN' denied
Apr 18 13:46:36 daffy named[24498]: client 67.19.0.13#53: query
'aiin.com/IN' denied
This was not good. I then tried using tools at http://www.dnsstuff.com/
It returned that the DNS server refused to resolve the names. This is
bad because it means that people legitimately trying to get to
mail.aiin.com etc. couldn't. Just in case here is the db file for aiin.com
$ORIGIN .
$TTL 86400 ; 1 day
aiin.com IN SOA aiin.com. hostmaster.aain.com. (
2004111602 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
IN NS dns.ptera.net.
IN NS dns2.ptera.net.
IN A 216.255.223.207
IN MX 10 mail.aiin.com.
$ORIGIN aiin.com.
mail IN A 69.28.41.3
www IN A 216.255.223.207
As you can see their web server is hosted outside of our network but
their mail server is inside of our network. This worked before.
Can anyone look at the named.conf file below and tell me where I missed?
--
Arthur Stephens
Senior Sales Technician
Ptera Wireless Internet
astephens at ptera.net
509-927-Ptera
// @(#)named.conf 02 OCT 2001 Rob Thomas robt at cymru.com
// Set up our ACLs
// In BIND 8, ACL names with quotes were treated as different from
// the same name without quotes. In BIND 9, both are treated as
// the same.
acl "xfer" {
216.229.160.10;
216.229.168.10;
64.35.138.13;
64.35.144.4;
69.28.32.10;
69.28.32.11;
69.28.32.15;
69.28.32.17;
69.28.32.9;
69.28.32.6;
// Allow no transfers. If we have other
// name servers, place them here.
// Note that in the Netherlands, for example,
// the TLD servers 193.176.144.2, 194.53.253.100, and 193.176.144.128/28
// are allowed to perform zone tranfers from the domains under .nl. The
// RIPE NCC had requested in the past that reverse (in-addr.arpa) zones
// permit zone transfer requests from 193.0.0.0/23.
};
acl "trusted" {
// Place our internal and DMZ subnets in here so that
// intranet and DMZ clients may send DNS queries. This
// also prevents outside hosts from using our name server
// as a resolver for other domains.
216.229.171.0/24;
69.28.32.0/20;
localhost;
};
acl "bogon" {
// Filter out the bogon networks. These are networks
// listed by IANA as test, RFC1918, Multicast, experi-
// mental, etc. If you see DNS queries or updates with
// a source address within these networks, this is likely
// of malicious origin. CAUTION: If you are using RFC1918
// netblocks on your network, remove those netblocks from
// this list of blackhole ACLs!
0.0.0.0/8;
1.0.0.0/8;
2.0.0.0/8;
5.0.0.0/8;
7.0.0.0/8;
10.0.0.0/8;
23.0.0.0/8;
27.0.0.0/8;
31.0.0.0/8;
36.0.0.0/8;
37.0.0.0/8;
39.0.0.0/8;
42.0.0.0/8;
49.0.0.0/8;
50.0.0.0/8;
74.0.0.0/8;
75.0.0.0/8;
76.0.0.0/8;
77.0.0.0/8;
78.0.0.0/8;
79.0.0.0/8;
89.0.0.0/8;
90.0.0.0/8;
91.0.0.0/8;
92.0.0.0/8;
93.0.0.0/8;
94.0.0.0/8;
95.0.0.0/8;
96.0.0.0/8;
97.0.0.0/8;
98.0.0.0/8;
99.0.0.0/8;
100.0.0.0/8;
101.0.0.0/8;
102.0.0.0/8;
103.0.0.0/8;
104.0.0.0/8;
105.0.0.0/8;
106.0.0.0/8;
107.0.0.0/8;
108.0.0.0/8;
109.0.0.0/8;
110.0.0.0/8;
111.0.0.0/8;
112.0.0.0/8;
113.0.0.0/8;
114.0.0.0/8;
115.0.0.0/8;
116.0.0.0/8;
117.0.0.0/8;
118.0.0.0/8;
119.0.0.0/8;
120.0.0.0/8;
121.0.0.0/8;
122.0.0.0/8;
123.0.0.0/8;
169.254.0.0/16;
172.16.0.0/12;
173.0.0.0/8;
174.0.0.0/8;
175.0.0.0/8;
176.0.0.0/8;
177.0.0.0/8;
178.0.0.0/8;
179.0.0.0/8;
180.0.0.0/8;
181.0.0.0/8;
182.0.0.0/8;
183.0.0.0/8;
184.0.0.0/8;
185.0.0.0/8;
186.0.0.0/8;
187.0.0.0/8;
189.0.0.0/8;
190.0.0.0/8;
192.0.2.0/24;
192.168.0.0/16;
197.0.0.0/8;
223.0.0.0/8;
224.0.0.0/3;
};
logging {
channel "default_syslog" {
// Send most of the named messages to syslog.
syslog local2;
severity debug;
};
channel audit_log {
// Send the security related messages to a separate file.
file "/var/named/bind/named.log";
severity debug;
print-time yes;
};
category default { default_syslog; };
category general { default_syslog; };
category security { audit_log; default_syslog; };
category config { default_syslog; };
category resolver { audit_log; };
category xfer-in { audit_log; };
category xfer-out { audit_log; };
category notify { audit_log; };
category client { audit_log; };
category network { audit_log; };
category update { audit_log; };
category queries { audit_log; };
category lame-servers { audit_log; };
};
// Set options for security
options {
directory "/var/named";
//pid-file "/var/named/named.pid";
statistics-file "/var/named/named.stats";
//memstatistics-file "/var/named/named.memstats";
dump-file "/var/adm/named.dump";
zone-statistics yes;
// Prevent DoS attacks by generating bogus zone transfer
// requests. This will result in slower updates to the
// slave servers (e.g. they will await the poll interval
// before checking for updates).
notify no;
// Generate more efficient zone transfers. This will place
// multiple DNS records in a DNS message, instead of one per
// DNS message.
transfer-format many-answers;
// Set the maximum zone transfer time to something more
// reasonable. In this case, we state that any zone transfer
// that takes longer than 60 minutes is unlikely to ever
// complete. WARNING: If you have very large zone files,
// adjust this to fit your requirements.
max-transfer-time-in 60;
// We have no dynamic interfaces, so BIND shouldn't need to
// poll for interface state {UP|DOWN}.
interface-interval 0;
allow-transfer {
// Zone tranfers limited to members of the
// "xfer" ACL.
xfer;
};
allow-query {
// Accept queries from our "trusted" ACL. We will
// allow anyone to query our master zones below.
// This prevents us from becoming a free DNS server
// to the masses.
trusted;
};
blackhole {
// Deny anything from the bogon networks as
// detailed in the "bogon" ACL.
bogon;
};
};
view "internal-in" in {
// Our internal (trusted) view. We permit the internal networks
// to freely access this view. We perform recursion for our
// internal hosts, and retrieve data from the cache for them.
match-clients { trusted; };
recursion yes;
additional-from-auth yes;
additional-from-cache yes;
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" in {
// Allow queries for the 127/8 network, but not zone transfers.
// Every name server, both slave and master, will be a master
// for this zone.
type master;
file "named.local";
allow-query {
any;
};
allow-transfer {
none;
};
};
zone "tylite.com" IN {
type master;
file "tylite.com.db";
};
zone "ptera.net" IN {
type master;
file "ptera.net.db";
};
zone "32.28.69.in-addr.arpa" IN {
type master;
file "69.28.32.db";
};
zone "33.28.69.in-addr.arpa" IN {
type master;
file "69.28.33.db";
};
zone "34.28.69.in-addr.arpa" IN {
type master;
file "69.28.34.db";
};
zone "35.28.69.in-addr.arpa" IN {
type master;
file "69.28.35.db";
};
zone "36.28.69.in-addr.arpa" IN {
type master;
file "69.28.36.db";
};
zone "37.28.69.in-addr.arpa" IN {
type master;
file "69.28.37.db";
};
zone "38.28.69.in-addr.arpa" IN {
type master;
file "69.28.38.db";
};
zone "39.28.69.in-addr.arpa" IN {
type master;
file "69.28.39.db";
};
zone "40.28.69.in-addr.arpa" IN {
type master;
file "69.28.40.db";
};
zone "41.28.69.in-addr.arpa" IN {
type master;
file "69.28.41.db";
};
zone "42.28.69.in-addr.arpa" IN {
type master;
file "69.28.42.db";
};
zone "43.28.69.in-addr.arpa" IN {
type master;
file "69.28.43.db";
};
zone "44.28.69.in-addr.arpa" IN {
type master;
file "69.28.44.db";
};
zone "45.28.69.in-addr.arpa" IN {
type master;
file "69.28.45.db";
};
zone "46.28.69.in-addr.arpa" IN {
type master;
file "69.28.46.db";
};
zone "47.28.69.in-addr.arpa" IN {
type master;
file "69.28.47.db";
};
zone "172.229.216.in-addr.arpa" IN {
type master;
file "216.229.172.db";
};
zone "birdshield.com" IN {
type master;
file "birdshield.com.db";
};
zone "priorityterabit.com" IN {
type master;
file "priorityterabit.com.db";
};
zone "arthurstephens.com" IN {
type master;
file "arthurstephens.com.db";
};
zone "cvafoundation.org" IN {
type master;
file "cvafoundation.org.db";
};
zone "guitarfranks.com" IN {
type master;
file "guitarfranks.com.db";
};
zone "lwccspokane.org" IN {
type master;
file "lwccspokane.org.db";
};
zone "impactspokane.com" IN {
type master;
file "impactspokane.com.db";
};
zone "tangleheart.com" IN {
type master;
file "tangleheart.com.db";
};
zone "ubergeekinc.com" IN {
type master;
file "ubergeekinc.com.db";
};
zone "aiin.com" IN {
type master;
file "aiin.com.db";
};
zone "spokanewines.com" IN {
type master;
file "spokanewines.com.db";
};
zone "skilltran.net" IN {
type master;
file "skilltran.net.hosts";
};
};
// Create a view for external DNS clients.
view "external-in" in {
// Our external (untrusted) view. We permit any client to access
// portions of this view. We do not perform recursion or cache
// access for hosts using this view.
match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;
// Link in our zones
zone "." in {
type hint;
file "named.ca";
};
zone "tylite.com" IN {
type master;
file "tylite.com.db";
};
zone "ptera.net" IN {
type master;
file "ptera.net.db";
};
zone "32.28.69.in-addr.arpa" IN {
type master;
file "69.28.32.db";
};
zone "33.28.69.in-addr.arpa" IN {
type master;
file "69.28.33.db";
};
zone "34.28.69.in-addr.arpa" IN {
type master;
file "69.28.34.db";
};
zone "35.28.69.in-addr.arpa" IN {
type master;
file "69.28.35.db";
};
zone "36.28.69.in-addr.arpa" IN {
type master;
file "69.28.36.db";
};
zone "37.28.69.in-addr.arpa" IN {
type master;
file "69.28.37.db";
};
zone "38.28.69.in-addr.arpa" IN {
type master;
file "69.28.38.db";
};
zone "39.28.69.in-addr.arpa" IN {
type master;
file "69.28.39.db";
};
zone "40.28.69.in-addr.arpa" IN {
type master;
file "69.28.40.db";
};
zone "41.28.69.in-addr.arpa" IN {
type master;
file "69.28.41.db";
};
zone "42.28.69.in-addr.arpa" IN {
type master;
file "69.28.42.db";
};
zone "43.28.69.in-addr.arpa" IN {
type master;
file "69.28.43.db";
};
zone "44.28.69.in-addr.arpa" IN {
type master;
file "69.28.44.db";
};
zone "45.28.69.in-addr.arpa" IN {
type master;
file "69.28.45.db";
};
zone "46.28.69.in-addr.arpa" IN {
type master;
file "69.28.46.db";
};
zone "47.28.69.in-addr.arpa" IN {
type master;
file "69.28.47.db";
};
zone "172.229.216.in-addr.arpa" IN {
type master;
file "216.229.172.db";
};
zone "birdshield.com" IN {
type master;
file "birdshield.com.db";
};
zone "priorityterabit.com" IN {
type master;
file "priorityterabit.com.db";
};
zone "arthurstephens.com" IN {
type master;
file "arthurstephens.com.db";
};
zone "cvafoundation.org" IN {
type master;
file "cvafoundation.org.db";
};
zone "guitarfranks.com" IN {
type master;
file "guitarfranks.com.db";
};
zone "lwccspokane.org" IN {
type master;
file "lwccspokane.org.db";
};
zone "impactspokane.com" IN {
type master;
file "impactspokane.com.db";
};
zone "lindarosephoto.com" IN {
type master;
file "lindarosephoto.com.db";
};
zone "tangleheart.com" IN {
type master;
file "tangleheart.com.db";
};
zone "ubergeekinc.com" IN {
type master;
file "ubergeekinc.com.db";
};
zone "aiin.com" IN {
type master;
file "aiin.com.db";
};
zone "spokanewines.com" IN {
type master;
file "spokanewines.com.db";
};
zone "skilltran.net" IN {
type master;
file "skilltran.net.hosts";
};
};
// Create a view for all clients perusing the CHAOS class.
// We allow internal hosts to query our version number.
// This is a good idea from a support point of view.
view "external-chaos" chaos {
match-clients { any; };
recursion no;
zone "." {
type hint;
file "/dev/null";
};
zone "bind" {
type master;
file "db.bind";
allow-query {
trusted;
};
allow-transfer {
none;
};
};
};
More information about the bind-users
mailing list