Secure Bind DNS server problem

Wed Apr 20 19:28:48 UTC 2005

This is a simpler problem.  None of the IP addresses in the complaint is 
'trusted'.

Tim Peiffer

acl "trusted" {

// Place our internal and DMZ subnets in here so that
// intranet and DMZ clients may send DNS queries. This
// also prevents outside hosts from using our name server
// as a resolver for other domains.
216.229.171.0/24;
69.28.32.0/20;
localhost;

};

allow-query {
// Accept queries from our "trusted" ACL. We will
// allow anyone to query our master zones below.
// This prevents us from becoming a free DNS server
// to the masses.
trusted;
};

Sam wrote:

>0.0.0.0/8; <- maybe this is hosing up BIND?
>
>Sam
>
>
>"Arthur Stephens" <astephens at ptera.net> wrote in message 
>news:d41kit$1pfg$1 at sf1.isc.org...
>  
>
>>I am trying to secure my DNS BIND version 9.2.5 servers so I found this
>>template
>>   Secure BIND Template Version 4.8 12 APR 2005
>>   By Rob Thomas, robt at cymru.com
>>After disabling these that complained at startup...
>>
>>//pid-file "/var/named/named.pid";
>>//memstatistics-file "/var/named/named.memstats";
>>
>>I got the server up and running. And successfully tested from inside.
>>But I noticed these in the logs right away.
>>
>>Apr 18 13:46:11 daffy named[24498]: client 71.4.246.96#32770: query
>>'ptera.net/IN' denied
>>Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query
>>'mail.aiin.com/IN' denied
>>Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query
>>'mail.aiin.com/IN' denied
>>Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query
>>'dns2.ptera.net/IN' denied
>>Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query
>>'dns2.ptera.net/IN' denied
>>Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query
>>'dns.ptera.net/IN' denied
>>Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query
>>'dns.ptera.net/IN' denied
>>Apr 18 13:46:36 daffy named[24498]: client 67.19.0.13#53: query
>>'aiin.com/IN' denied
>>
>>This was not good. I then tried using tools at http://www.dnsstuff.com/
>>
>>It returned that the DNS server refused to resolve the names. This is
>>bad because it means that people legitimately trying to get to
>>mail.aiin.com etc. couldn't. Just in case here is the db file for aiin.com
>>
>>$ORIGIN .
>>$TTL 86400    ; 1 day
>>aiin.com        IN SOA    aiin.com. hostmaster.aain.com. (
>>               2004111602 ; serial
>>               10800      ; refresh (3 hours)
>>               3600       ; retry (1 hour)
>>               604800     ; expire (1 week)
>>               86400      ; minimum (1 day)
>>               )
>>           IN NS    dns.ptera.net.
>>           IN NS    dns2.ptera.net.
>>           IN A    216.255.223.207
>>           IN MX    10 mail.aiin.com.
>>$ORIGIN aiin.com.
>>mail            IN A    69.28.41.3
>>www            IN A    216.255.223.207
>>
>>As you can see their web server is hosted outside of our network but
>>their mail server is inside of our network. This worked before.
>>
>>Can anyone look at the named.conf file below and tell me where I missed?
>>
>>-- 
>>Arthur Stephens
>>Senior Sales Technician
>>Ptera Wireless Internet
>>astephens at ptera.net
>>509-927-Ptera
>>
>>// @(#)named.conf 02 OCT 2001 Rob Thomas robt at cymru.com
>>// Set up our ACLs
>>// In BIND 8, ACL names with quotes were treated as different from
>>// the same name without quotes. In BIND 9, both are treated as
>>// the same.
>>acl "xfer" {
>>216.229.160.10;
>>216.229.168.10;
>>64.35.138.13;
>>64.35.144.4;
>>69.28.32.10;
>>69.28.32.11;
>>69.28.32.15;
>>69.28.32.17;
>>69.28.32.9;
>>69.28.32.6;
>>// Allow no transfers. If we have other
>>// name servers, place them here.
>>// Note that in the Netherlands, for example,
>>// the TLD servers 193.176.144.2, 194.53.253.100, and 193.176.144.128/28
>>// are allowed to perform zone tranfers from the domains under .nl. The
>>// RIPE NCC had requested in the past that reverse (in-addr.arpa) zones
>>// permit zone transfer requests from 193.0.0.0/23.
>>};
>>
>>acl "trusted" {
>>
>>
>>// Place our internal and DMZ subnets in here so that
>>// intranet and DMZ clients may send DNS queries. This
>>// also prevents outside hosts from using our name server
>>// as a resolver for other domains.
>>216.229.171.0/24;
>>69.28.32.0/20;
>>localhost;
>>
>>
>>};
>>
>>acl "bogon" {
>>// Filter out the bogon networks. These are networks
>>// listed by IANA as test, RFC1918, Multicast, experi-
>>// mental, etc. If you see DNS queries or updates with
>>// a source address within these networks, this is likely
>>// of malicious origin. CAUTION: If you are using RFC1918
>>// netblocks on your network, remove those netblocks from
>>// this list of blackhole ACLs!
>>0.0.0.0/8;
>>1.0.0.0/8;
>>2.0.0.0/8;
>>5.0.0.0/8;
>>7.0.0.0/8;
>>10.0.0.0/8;
>>23.0.0.0/8;
>>27.0.0.0/8;
>>31.0.0.0/8;
>>36.0.0.0/8;
>>37.0.0.0/8;
>>39.0.0.0/8;
>>42.0.0.0/8;
>>49.0.0.0/8;
>>50.0.0.0/8;
>>74.0.0.0/8;
>>75.0.0.0/8;
>>76.0.0.0/8;
>>77.0.0.0/8;
>>78.0.0.0/8;
>>79.0.0.0/8;
>>89.0.0.0/8;
>>90.0.0.0/8;
>>91.0.0.0/8;
>>92.0.0.0/8;
>>93.0.0.0/8;
>>94.0.0.0/8;
>>95.0.0.0/8;
>>96.0.0.0/8;
>>97.0.0.0/8;
>>98.0.0.0/8;
>>99.0.0.0/8;
>>100.0.0.0/8;
>>101.0.0.0/8;
>>102.0.0.0/8;
>>103.0.0.0/8;
>>104.0.0.0/8;
>>105.0.0.0/8;
>>106.0.0.0/8;
>>107.0.0.0/8;
>>108.0.0.0/8;
>>109.0.0.0/8;
>>110.0.0.0/8;
>>111.0.0.0/8;
>>112.0.0.0/8;
>>113.0.0.0/8;
>>114.0.0.0/8;
>>115.0.0.0/8;
>>116.0.0.0/8;
>>117.0.0.0/8;
>>118.0.0.0/8;
>>119.0.0.0/8;
>>120.0.0.0/8;
>>121.0.0.0/8;
>>122.0.0.0/8;
>>123.0.0.0/8;
>>169.254.0.0/16;
>>172.16.0.0/12;
>>173.0.0.0/8;
>>174.0.0.0/8;
>>175.0.0.0/8;
>>176.0.0.0/8;
>>177.0.0.0/8;
>>178.0.0.0/8;
>>179.0.0.0/8;
>>180.0.0.0/8;
>>181.0.0.0/8;
>>182.0.0.0/8;
>>183.0.0.0/8;
>>184.0.0.0/8;
>>185.0.0.0/8;
>>186.0.0.0/8;
>>187.0.0.0/8;
>>189.0.0.0/8;
>>190.0.0.0/8;
>>192.0.2.0/24;
>>192.168.0.0/16;
>>197.0.0.0/8;
>>223.0.0.0/8;
>>224.0.0.0/3;
>>};
>>
>>
>>logging {
>>
>>
>>channel "default_syslog" {
>>// Send most of the named messages to syslog.
>>syslog local2;
>>severity debug;
>>};
>>
>>channel audit_log {
>>// Send the security related messages to a separate file.
>>file "/var/named/bind/named.log";
>>severity debug;
>>print-time yes;
>>};
>>
>>category default { default_syslog; };
>>category general { default_syslog; };
>>category security { audit_log; default_syslog; };
>>category config { default_syslog; };
>>category resolver { audit_log; };
>>category xfer-in { audit_log; };
>>category xfer-out { audit_log; };
>>category notify { audit_log; };
>>category client { audit_log; };
>>category network { audit_log; };
>>category update { audit_log; };
>>category queries { audit_log; };
>>category lame-servers { audit_log; };
>>
>>
>>};
>>
>>// Set options for security
>>options {
>>directory "/var/named";
>>//pid-file "/var/named/named.pid";
>>statistics-file "/var/named/named.stats";
>>//memstatistics-file "/var/named/named.memstats";
>>dump-file "/var/adm/named.dump";
>>zone-statistics yes;
>>
>>// Prevent DoS attacks by generating bogus zone transfer
>>// requests. This will result in slower updates to the
>>// slave servers (e.g. they will await the poll interval
>>// before checking for updates).
>>notify no;
>>
>>// Generate more efficient zone transfers. This will place
>>// multiple DNS records in a DNS message, instead of one per
>>// DNS message.
>>transfer-format many-answers;
>>
>>// Set the maximum zone transfer time to something more
>>// reasonable. In this case, we state that any zone transfer
>>// that takes longer than 60 minutes is unlikely to ever
>>// complete. WARNING: If you have very large zone files,
>>// adjust this to fit your requirements.
>>max-transfer-time-in 60;
>>
>>// We have no dynamic interfaces, so BIND shouldn't need to
>>// poll for interface state {UP|DOWN}.
>>interface-interval 0;
>>
>>allow-transfer {
>>// Zone tranfers limited to members of the
>>// "xfer" ACL.
>>xfer;
>>};
>>
>>allow-query {
>>// Accept queries from our "trusted" ACL. We will
>>// allow anyone to query our master zones below.
>>// This prevents us from becoming a free DNS server
>>// to the masses.
>>trusted;
>>};
>>
>>blackhole {
>>// Deny anything from the bogon networks as
>>// detailed in the "bogon" ACL.
>>bogon;
>>};
>>};
>>
>>
>>view "internal-in" in {
>>// Our internal (trusted) view. We permit the internal networks
>>// to freely access this view. We perform recursion for our
>>// internal hosts, and retrieve data from the cache for them.
>>
>>match-clients { trusted; };
>>recursion yes;
>>additional-from-auth yes;
>>additional-from-cache yes;
>>
>>zone "." IN {
>>type hint;
>>file "named.ca";
>>};
>>
>>zone "localhost" IN {
>>type master;
>>file "localhost.zone";
>>allow-update { none; };
>>};
>>
>>zone "0.0.127.in-addr.arpa" in {
>>// Allow queries for the 127/8 network, but not zone transfers.
>>// Every name server, both slave and master, will be a master
>>// for this zone.
>>type master;
>>file "named.local";
>>
>>allow-query {
>>any;
>>};
>>
>>allow-transfer {
>>none;
>>};
>>};
>>
>>zone "tylite.com" IN {
>>type master;
>>file "tylite.com.db";
>>};
>>
>>zone "ptera.net" IN {
>>type master;
>>file "ptera.net.db";
>>};
>>
>>zone "32.28.69.in-addr.arpa" IN {
>>type master;
>>file "69.28.32.db";
>>};
>>
>>zone "33.28.69.in-addr.arpa" IN {
>>type master;
>>file "69.28.33.db";
>>};
>>zone "34.28.69.in-addr.arpa" IN {
>>type master;
>>file "69.28.34.db";
>>};
>>
>>zone "35.28.69.in-addr.arpa" IN {
>>type master;
>>file "69.28.35.db";
>>};
>>
>>zone "36.28.69.in-addr.arpa" IN {
>>type master;
>>file "69.28.36.db";
>>};
>>
>>zone "37.28.69.in-addr.arpa" IN {
>>type master;
>>file "69.28.37.db";
>>};
>>
>>zone "38.28.69.in-addr.arpa" IN {
>>type master;
>>file "69.28.38.db";
>>};
>>
>>zone "39.28.69.in-addr.arpa" IN {
>>type master;
>>file "69.28.39.db";
>>};
>>
>>zone "40.28.69.in-addr.arpa" IN {
>>type master;
>>file "69.28.40.db";
>>};
>>
>>zone "41.28.69.in-addr.arpa" IN {
>>type master;
>>file "69.28.41.db";
>>};
>>
>>zone "42.28.69.in-addr.arpa" IN {
>>type master;
>>file "69.28.42.db";
>>};
>>
>>zone "43.28.69.in-addr.arpa" IN {
>>type master;
>>file "69.28.43.db";
>>};
>>
>>zone "44.28.69.in-addr.arpa" IN {
>>type master;
>>file "69.28.44.db";
>>};
>>
>>zone "45.28.69.in-addr.arpa" IN {
>>type master;
>>file "69.28.45.db";
>>};
>>
>>zone "46.28.69.in-addr.arpa" IN {
>>type master;
>>file "69.28.46.db";
>>};
>>
>>zone "47.28.69.in-addr.arpa" IN {
>>type master;
>>file "69.28.47.db";
>>};
>>
>>
>>zone "172.229.216.in-addr.arpa" IN {
>>type master;
>>file "216.229.172.db";
>>};
>>
>>zone "birdshield.com" IN {
>>type master;
>>file "birdshield.com.db";
>>};
>>
>>zone "priorityterabit.com" IN {
>>type master;
>>file "priorityterabit.com.db";
>>};
>>
>>zone "arthurstephens.com" IN {
>>type master;
>>file "arthurstephens.com.db";
>>};
>>
>>zone "cvafoundation.org" IN {
>>type master;
>>file "cvafoundation.org.db";
>>};
>>
>>zone "guitarfranks.com" IN {
>>type master;
>>file "guitarfranks.com.db";
>>};
>>
>>zone "lwccspokane.org" IN {
>>type master;
>>file "lwccspokane.org.db";
>>};
>>
>>zone "impactspokane.com" IN {
>>type master;
>>file "impactspokane.com.db";
>>};
>>
>>zone "tangleheart.com" IN {
>>type master;
>>file "tangleheart.com.db";
>>};
>>
>>zone "ubergeekinc.com" IN {
>>type master;
>>file "ubergeekinc.com.db";
>>};
>>
>>zone "aiin.com" IN {
>>type master;
>>file "aiin.com.db";
>>};
>>
>>
>>zone "spokanewines.com" IN {
>>type master;
>>file "spokanewines.com.db";
>>};
>>
>>zone "skilltran.net" IN {
>>type master;
>>file "skilltran.net.hosts";
>>};
>>
>>
>>};
>>
>>// Create a view for external DNS clients.
>>view "external-in" in {
>>// Our external (untrusted) view. We permit any client to access
>>// portions of this view. We do not perform recursion or cache
>>// access for hosts using this view.
>>
>>match-clients { any; };
>>recursion no;
>>additional-from-auth no;
>>additional-from-cache no;
>>
>>// Link in our zones
>>zone "." in {
>>type hint;
>>file "named.ca";
>>};
>>
>>zone "tylite.com" IN {
>>type master;
>>file "tylite.com.db";
>>};
>>
>>zone "ptera.net" IN {
>>type master;
>>file "ptera.net.db";
>>};
>>
>>zone "32.28.69.in-addr.arpa" IN {
>>type master;
>>file "69.28.32.db";
>>};
>>
>>zone "33.28.69.in-addr.arpa" IN {
>>type master;
>>file "69.28.33.db";
>>};
>>zone "34.28.69.in-addr.arpa" IN {
>>type master;
>>file "69.28.34.db";
>>};
>>
>>zone "35.28.69.in-addr.arpa" IN {
>>type master;
>>file "69.28.35.db";
>>};
>>
>>zone "36.28.69.in-addr.arpa" IN {
>>type master;
>>file "69.28.36.db";
>>};
>>
>>zone "37.28.69.in-addr.arpa" IN {
>>type master;
>>file "69.28.37.db";
>>};
>>
>>zone "38.28.69.in-addr.arpa" IN {
>>type master;
>>file "69.28.38.db";
>>};
>>
>>zone "39.28.69.in-addr.arpa" IN {
>>type master;
>>file "69.28.39.db";
>>};
>>
>>zone "40.28.69.in-addr.arpa" IN {
>>type master;
>>file "69.28.40.db";
>>};
>>
>>zone "41.28.69.in-addr.arpa" IN {
>>type master;
>>file "69.28.41.db";
>>};
>>
>>zone "42.28.69.in-addr.arpa" IN {
>>type master;
>>file "69.28.42.db";
>>};
>>
>>zone "43.28.69.in-addr.arpa" IN {
>>type master;
>>file "69.28.43.db";
>>};
>>
>>zone "44.28.69.in-addr.arpa" IN {
>>type master;
>>file "69.28.44.db";
>>};
>>
>>zone "45.28.69.in-addr.arpa" IN {
>>type master;
>>file "69.28.45.db";
>>};
>>
>>zone "46.28.69.in-addr.arpa" IN {
>>type master;
>>file "69.28.46.db";
>>};
>>
>>zone "47.28.69.in-addr.arpa" IN {
>>type master;
>>file "69.28.47.db";
>>};
>>
>>
>>zone "172.229.216.in-addr.arpa" IN {
>>type master;
>>file "216.229.172.db";
>>};
>>
>>zone "birdshield.com" IN {
>>type master;
>>file "birdshield.com.db";
>>};
>>
>>zone "priorityterabit.com" IN {
>>type master;
>>file "priorityterabit.com.db";
>>};
>>
>>zone "arthurstephens.com" IN {
>>type master;
>>file "arthurstephens.com.db";
>>};
>>
>>zone "cvafoundation.org" IN {
>>type master;
>>file "cvafoundation.org.db";
>>};
>>
>>zone "guitarfranks.com" IN {
>>type master;
>>file "guitarfranks.com.db";
>>};
>>
>>zone "lwccspokane.org" IN {
>>type master;
>>file "lwccspokane.org.db";
>>};
>>
>>zone "impactspokane.com" IN {
>>type master;
>>file "impactspokane.com.db";
>>};
>>
>>zone "lindarosephoto.com" IN {
>>type master;
>>file "lindarosephoto.com.db";
>>};
>>
>>zone "tangleheart.com" IN {
>>type master;
>>file "tangleheart.com.db";
>>};
>>
>>zone "ubergeekinc.com" IN {
>>type master;
>>file "ubergeekinc.com.db";
>>};
>>
>>zone "aiin.com" IN {
>>type master;
>>file "aiin.com.db";
>>};
>>
>>
>>zone "spokanewines.com" IN {
>>type master;
>>file "spokanewines.com.db";
>>};
>>
>>zone "skilltran.net" IN {
>>type master;
>>file "skilltran.net.hosts";
>>};
>>
>>
>>};
>>
>>// Create a view for all clients perusing the CHAOS class.
>>// We allow internal hosts to query our version number.
>>// This is a good idea from a support point of view.
>>
>>view "external-chaos" chaos {
>>match-clients { any; };
>>recursion no;
>>
>>zone "." {
>>type hint;
>>file "/dev/null";
>>};
>>
>>zone "bind" {
>>type master;
>>file "db.bind";
>>
>>allow-query {
>>trusted;
>>};
>>allow-transfer {
>>none;
>>};
>>};
>>
>>
>>};
>>
>>
>>
>>    
>>
>
>  
>