Secure Bind DNS server problem
joe
joe at telepacific.net
Thu Apr 21 01:21:12 UTC 2005
allow-query {
// Accept queries from our "trusted" ACL. We will
// allow anyone to query our master zones below.
// This prevents us from becoming a free DNS server
// to the masses.
trusted;
};
The above will only let your subnets make queries to the zones you host.
Try the following:
allow-query { any; }; -> this way anyone can get the info they need (mx, a , www, etc...)
allow-transfer { xfer; };
xfer - > would be an acl for your subnets only to pull the complete zone files (notifies for slaves, axfr, etc.)
I try to keep my ACL's and options really simple but secure.
Hope this helps
joe
>Tim Peiffer wrote:
>
>>This is a simpler problem. None of the IP addresses in the complaint is
>>'trusted'.
>>
>>Tim Peiffer
>>
>>acl "trusted" {
>>
>>
>>// Place our internal and DMZ subnets in here so that
>>// intranet and DMZ clients may send DNS queries. This
>>// also prevents outside hosts from using our name server
>>// as a resolver for other domains.
>>216.229.171.0/24;
>>69.28.32.0/20;
>>localhost;
>>
>>
>>};
>>
>>
>>allow-query {
>>// Accept queries from our "trusted" ACL. We will
>>// allow anyone to query our master zones below.
>>// This prevents us from becoming a free DNS server
>>// to the masses.
>>trusted;
>>};
>>
>>Sam wrote:
>>
>>
>>
>>>0.0.0.0/8; <- maybe this is hosing up BIND?
>>>
>>>Sam
>>>
>>>
>>>"Arthur Stephens" <astephens at ptera.net> wrote in message
>>>news:d41kit$1pfg$1 at sf1.isc.org...
>>>
>>>
>>>
>>>
>>>>I am trying to secure my DNS BIND version 9.2.5 servers so I found this
>>>>template
>>>> Secure BIND Template Version 4.8 12 APR 2005
>>>> By Rob Thomas, robt at cymru.com
>>>>After disabling these that complained at startup...
>>>>
>>>>//pid-file "/var/named/named.pid";
>>>>//memstatistics-file "/var/named/named.memstats";
>>>>
>>>>I got the server up and running. And successfully tested from inside.
>>>>But I noticed these in the logs right away.
>>>>
>>>>Apr 18 13:46:11 daffy named[24498]: client 71.4.246.96#32770: query
>>>>'ptera.net/IN' denied
>>>>Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query
>>>>'mail.aiin.com/IN' denied
>>>>Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query
>>>>'mail.aiin.com/IN' denied
>>>>Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query
>>>>'dns2.ptera.net/IN' denied
>>>>Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query
>>>>'dns2.ptera.net/IN' denied
>>>>Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query
>>>>'dns.ptera.net/IN' denied
>>>>Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query
>>>>'dns.ptera.net/IN' denied
>>>>Apr 18 13:46:36 daffy named[24498]: client 67.19.0.13#53: query
>>>>'aiin.com/IN' denied
>>>>
>>>>This was not good. I then tried using tools at http://www.dnsstuff.com/
>>>>
>>>>It returned that the DNS server refused to resolve the names. This is
>>>>bad because it means that people legitimately trying to get to
>>>>mail.aiin.com etc. couldn't. Just in case here is the db file for aiin.com
>>>>
>>>>$ORIGIN .
>>>>$TTL 86400 ; 1 day
>>>>aiin.com IN SOA aiin.com. hostmaster.aain.com. (
>>>> 2004111602 ; serial
>>>> 10800 ; refresh (3 hours)
>>>> 3600 ; retry (1 hour)
>>>> 604800 ; expire (1 week)
>>>> 86400 ; minimum (1 day)
>>>> )
>>>> IN NS dns.ptera.net.
>>>> IN NS dns2.ptera.net.
>>>> IN A 216.255.223.207
>>>> IN MX 10 mail.aiin.com.
>>>>$ORIGIN aiin.com.
>>>>mail IN A 69.28.41.3
>>>>www IN A 216.255.223.207
>>>>
>>>>As you can see their web server is hosted outside of our network but
>>>>their mail server is inside of our network. This worked before.
>>>>
>>>>Can anyone look at the named.conf file below and tell me where I missed?
>>>>
>>>>--
>>>>Arthur Stephens
>>>>Senior Sales Technician
>>>>Ptera Wireless Internet
>>>>astephens at ptera.net
>>>>509-927-Ptera
>>>>
>>>>// @(#)named.conf 02 OCT 2001 Rob Thomas robt at cymru.com
>>>>// Set up our ACLs
>>>>// In BIND 8, ACL names with quotes were treated as different from
>>>>// the same name without quotes. In BIND 9, both are treated as
>>>>// the same.
>>>>acl "xfer" {
>>>>216.229.160.10;
>>>>216.229.168.10;
>>>>64.35.138.13;
>>>>64.35.144.4;
>>>>69.28.32.10;
>>>>69.28.32.11;
>>>>69.28.32.15;
>>>>69.28.32.17;
>>>>69.28.32.9;
>>>>69.28.32.6;
>>>>// Allow no transfers. If we have other
>>>>// name servers, place them here.
>>>>// Note that in the Netherlands, for example,
>>>>// the TLD servers 193.176.144.2, 194.53.253.100, and 193.176.144.128/28
>>>>// are allowed to perform zone tranfers from the domains under .nl. The
>>>>// RIPE NCC had requested in the past that reverse (in-addr.arpa) zones
>>>>// permit zone transfer requests from 193.0.0.0/23.
>>>>};
>>>>
>>>>acl "trusted" {
>>>>
>>>>
>>>>// Place our internal and DMZ subnets in here so that
>>>>// intranet and DMZ clients may send DNS queries. This
>>>>// also prevents outside hosts from using our name server
>>>>// as a resolver for other domains.
>>>>216.229.171.0/24;
>>>>69.28.32.0/20;
>>>>localhost;
>>>>
>>>>
>>>>};
>>>>
>>>>acl "bogon" {
>>>>// Filter out the bogon networks. These are networks
>>>>// listed by IANA as test, RFC1918, Multicast, experi-
>>>>// mental, etc. If you see DNS queries or updates with
>>>>// a source address within these networks, this is likely
>>>>// of malicious origin. CAUTION: If you are using RFC1918
>>>>// netblocks on your network, remove those netblocks from
>>>>// this list of blackhole ACLs!
>>>>0.0.0.0/8;
>>>>1.0.0.0/8;
>>>>2.0.0.0/8;
>>>>5.0.0.0/8;
>>>>7.0.0.0/8;
>>>>10.0.0.0/8;
>>>>23.0.0.0/8;
>>>>27.0.0.0/8;
>>>>31.0.0.0/8;
>>>>36.0.0.0/8;
>>>>37.0.0.0/8;
>>>>39.0.0.0/8;
>>>>42.0.0.0/8;
>>>>49.0.0.0/8;
>>>>50.0.0.0/8;
>>>>74.0.0.0/8;
>>>>75.0.0.0/8;
>>>>76.0.0.0/8;
>>>>77.0.0.0/8;
>>>>78.0.0.0/8;
>>>>79.0.0.0/8;
>>>>89.0.0.0/8;
>>>>90.0.0.0/8;
>>>>91.0.0.0/8;
>>>>92.0.0.0/8;
>>>>93.0.0.0/8;
>>>>94.0.0.0/8;
>>>>95.0.0.0/8;
>>>>96.0.0.0/8;
>>>>97.0.0.0/8;
>>>>98.0.0.0/8;
>>>>99.0.0.0/8;
>>>>100.0.0.0/8;
>>>>101.0.0.0/8;
>>>>102.0.0.0/8;
>>>>103.0.0.0/8;
>>>>104.0.0.0/8;
>>>>105.0.0.0/8;
>>>>106.0.0.0/8;
>>>>107.0.0.0/8;
>>>>108.0.0.0/8;
>>>>109.0.0.0/8;
>>>>110.0.0.0/8;
>>>>111.0.0.0/8;
>>>>112.0.0.0/8;
>>>>113.0.0.0/8;
>>>>114.0.0.0/8;
>>>>115.0.0.0/8;
>>>>116.0.0.0/8;
>>>>117.0.0.0/8;
>>>>118.0.0.0/8;
>>>>119.0.0.0/8;
>>>>120.0.0.0/8;
>>>>121.0.0.0/8;
>>>>122.0.0.0/8;
>>>>123.0.0.0/8;
>>>>169.254.0.0/16;
>>>>172.16.0.0/12;
>>>>173.0.0.0/8;
>>>>174.0.0.0/8;
>>>>175.0.0.0/8;
>>>>176.0.0.0/8;
>>>>177.0.0.0/8;
>>>>178.0.0.0/8;
>>>>179.0.0.0/8;
>>>>180.0.0.0/8;
>>>>181.0.0.0/8;
>>>>182.0.0.0/8;
>>>>183.0.0.0/8;
>>>>184.0.0.0/8;
>>>>185.0.0.0/8;
>>>>186.0.0.0/8;
>>>>187.0.0.0/8;
>>>>189.0.0.0/8;
>>>>190.0.0.0/8;
>>>>192.0.2.0/24;
>>>>192.168.0.0/16;
>>>>197.0.0.0/8;
>>>>223.0.0.0/8;
>>>>224.0.0.0/3;
>>>>};
>>>>
>>>>
>>>>logging {
>>>>
>>>>
>>>>channel "default_syslog" {
>>>>// Send most of the named messages to syslog.
>>>>syslog local2;
>>>>severity debug;
>>>>};
>>>>
>>>>channel audit_log {
>>>>// Send the security related messages to a separate file.
>>>>file "/var/named/bind/named.log";
>>>>severity debug;
>>>>print-time yes;
>>>>};
>>>>
>>>>category default { default_syslog; };
>>>>category general { default_syslog; };
>>>>category security { audit_log; default_syslog; };
>>>>category config { default_syslog; };
>>>>category resolver { audit_log; };
>>>>category xfer-in { audit_log; };
>>>>category xfer-out { audit_log; };
>>>>category notify { audit_log; };
>>>>category client { audit_log; };
>>>>category network { audit_log; };
>>>>category update { audit_log; };
>>>>category queries { audit_log; };
>>>>category lame-servers { audit_log; };
>>>>
>>>>
>>>>};
>>>>
>>>>// Set options for security
>>>>options {
>>>>directory "/var/named";
>>>>//pid-file "/var/named/named.pid";
>>>>statistics-file "/var/named/named.stats";
>>>>//memstatistics-file "/var/named/named.memstats";
>>>>dump-file "/var/adm/named.dump";
>>>>zone-statistics yes;
>>>>
>>>>// Prevent DoS attacks by generating bogus zone transfer
>>>>// requests. This will result in slower updates to the
>>>>// slave servers (e.g. they will await the poll interval
>>>>// before checking for updates).
>>>>notify no;
>>>>
>>>>// Generate more efficient zone transfers. This will place
>>>>// multiple DNS records in a DNS message, instead of one per
>>>>// DNS message.
>>>>transfer-format many-answers;
>>>>
>>>>// Set the maximum zone transfer time to something more
>>>>// reasonable. In this case, we state that any zone transfer
>>>>// that takes longer than 60 minutes is unlikely to ever
>>>>// complete. WARNING: If you have very large zone files,
>>>>// adjust this to fit your requirements.
>>>>max-transfer-time-in 60;
>>>>
>>>>// We have no dynamic interfaces, so BIND shouldn't need to
>>>>// poll for interface state {UP|DOWN}.
>>>>interface-interval 0;
>>>>
>>>>allow-transfer {
>>>>// Zone tranfers limited to members of the
>>>>// "xfer" ACL.
>>>>xfer;
>>>>};
>>>>
>>>>allow-query {
>>>>// Accept queries from our "trusted" ACL. We will
>>>>// allow anyone to query our master zones below.
>>>>// This prevents us from becoming a free DNS server
>>>>// to the masses.
>>>>trusted;
>>>>};
>>>>
>>>>blackhole {
>>>>// Deny anything from the bogon networks as
>>>>// detailed in the "bogon" ACL.
>>>>bogon;
>>>>};
>>>>};
>>>>
>>>>
>>>>view "internal-in" in {
>>>>// Our internal (trusted) view. We permit the internal networks
>>>>// to freely access this view. We perform recursion for our
>>>>// internal hosts, and retrieve data from the cache for them.
>>>>
>>>>match-clients { trusted; };
>>>>recursion yes;
>>>>additional-from-auth yes;
>>>>additional-from-cache yes;
>>>>
>>>>zone "." IN {
>>>>type hint;
>>>>file "named.ca";
>>>>};
>>>>
>>>>zone "localhost" IN {
>>>>type master;
>>>>file "localhost.zone";
>>>>allow-update { none; };
>>>>};
>>>>
>>>>zone "0.0.127.in-addr.arpa" in {
>>>>// Allow queries for the 127/8 network, but not zone transfers.
>>>>// Every name server, both slave and master, will be a master
>>>>// for this zone.
>>>>type master;
>>>>file "named.local";
>>>>
>>>>allow-query {
>>>>any;
>>>>};
>>>>
>>>>allow-transfer {
>>>>none;
>>>>};
>>>>};
>>>>
>>>>zone "tylite.com" IN {
>>>>type master;
>>>>file "tylite.com.db";
>>>>};
>>>>
>>>>zone "ptera.net" IN {
>>>>type master;
>>>>file "ptera.net.db";
>>>>};
>>>>
>>>>zone "32.28.69.in-addr.arpa" IN {
>>>>type master;
>>>>file "69.28.32.db";
>>>>};
>>>>
>>>>zone "33.28.69.in-addr.arpa" IN {
>>>>type master;
>>>>file "69.28.33.db";
>>>>};
>>>>zone "34.28.69.in-addr.arpa" IN {
>>>>type master;
>>>>file "69.28.34.db";
>>>>};
>>>>
>>>>zone "35.28.69.in-addr.arpa" IN {
>>>>type master;
>>>>file "69.28.35.db";
>>>>};
>>>>
>>>>zone "36.28.69.in-addr.arpa" IN {
>>>>type master;
>>>>file "69.28.36.db";
>>>>};
>>>>
>>>>zone "37.28.69.in-addr.arpa" IN {
>>>>type master;
>>>>file "69.28.37.db";
>>>>};
>>>>
>>>>zone "38.28.69.in-addr.arpa" IN {
>>>>type master;
>>>>file "69.28.38.db";
>>>>};
>>>>
>>>>zone "39.28.69.in-addr.arpa" IN {
>>>>type master;
>>>>file "69.28.39.db";
>>>>};
>>>>
>>>>zone "40.28.69.in-addr.arpa" IN {
>>>>type master;
>>>>file "69.28.40.db";
>>>>};
>>>>
>>>>zone "41.28.69.in-addr.arpa" IN {
>>>>type master;
>>>>file "69.28.41.db";
>>>>};
>>>>
>>>>zone "42.28.69.in-addr.arpa" IN {
>>>>type master;
>>>>file "69.28.42.db";
>>>>};
>>>>
>>>>zone "43.28.69.in-addr.arpa" IN {
>>>>type master;
>>>>file "69.28.43.db";
>>>>};
>>>>
>>>>zone "44.28.69.in-addr.arpa" IN {
>>>>type master;
>>>>file "69.28.44.db";
>>>>};
>>>>
>>>>zone "45.28.69.in-addr.arpa" IN {
>>>>type master;
>>>>file "69.28.45.db";
>>>>};
>>>>
>>>>zone "46.28.69.in-addr.arpa" IN {
>>>>type master;
>>>>file "69.28.46.db";
>>>>};
>>>>
>>>>zone "47.28.69.in-addr.arpa" IN {
>>>>type master;
>>>>file "69.28.47.db";
>>>>};
>>>>
>>>>
>>>>zone "172.229.216.in-addr.arpa" IN {
>>>>type master;
>>>>file "216.229.172.db";
>>>>};
>>>>
>>>>zone "birdshield.com" IN {
>>>>type master;
>>>>file "birdshield.com.db";
>>>>};
>>>>
>>>>zone "priorityterabit.com" IN {
>>>>type master;
>>>>file "priorityterabit.com.db";
>>>>};
>>>>
>>>>zone "arthurstephens.com" IN {
>>>>type master;
>>>>file "arthurstephens.com.db";
>>>>};
>>>>
>>>>zone "cvafoundation.org" IN {
>>>>type master;
>>>>file "cvafoundation.org.db";
>>>>};
>>>>
>>>>zone "guitarfranks.com" IN {
>>>>type master;
>>>>file "guitarfranks.com.db";
>>>>};
>>>>
>>>>zone "lwccspokane.org" IN {
>>>>type master;
>>>>file "lwccspokane.org.db";
>>>>};
>>>>
>>>>zone "impactspokane.com" IN {
>>>>type master;
>>>>file "impactspokane.com.db";
>>>>};
>>>>
>>>>zone "tangleheart.com" IN {
>>>>type master;
>>>>file "tangleheart.com.db";
>>>>};
>>>>
>>>>zone "ubergeekinc.com" IN {
>>>>type master;
>>>>file "ubergeekinc.com.db";
>>>>};
>>>>
>>>>zone "aiin.com" IN {
>>>>type master;
>>>>file "aiin.com.db";
>>>>};
>>>>
>>>>
>>>>zone "spokanewines.com" IN {
>>>>type master;
>>>>file "spokanewines.com.db";
>>>>};
>>>>
>>>>zone "skilltran.net" IN {
>>>>type master;
>>>>file "skilltran.net.hosts";
>>>>};
>>>>
>>>>
>>>>};
>>>>
>>>>// Create a view for external DNS clients.
>>>>view "external-in" in {
>>>>// Our external (untrusted) view. We permit any client to access
>>>>// portions of this view. We do not perform recursion or cache
>>>>// access for hosts using this view.
>>>>
>>>>match-clients { any; };
>>>>recursion no;
>>>>additional-from-auth no;
>>>>additional-from-cache no;
>>>>
>>>>// Link in our zones
>>>>zone "." in {
>>>>type hint;
>>>>file "named.ca";
>>>>};
>>>>
>>>>zone "tylite.com" IN {
>>>>type master;
>>>>file "tylite.com.db";
>>>>};
>>>>
>>>>zone "ptera.net" IN {
>>>>type master;
>>>>file "ptera.net.db";
>>>>};
>>>>
>>>>zone "32.28.69.in-addr.arpa" IN {
>>>>type master;
>>>>file "69.28.32.db";
>>>>};
>>>>
>>>>zone "33.28.69.in-addr.arpa" IN {
>>>>type master;
>>>>file "69.28.33.db";
>>>>};
>>>>zone "34.28.69.in-addr.arpa" IN {
>>>>type master;
>>>>file "69.28.34.db";
>>>>};
>>>>
>>>>zone "35.28.69.in-addr.arpa" IN {
>>>>type master;
>>>>file "69.28.35.db";
>>>>};
>>>>
>>>>zone "36.28.69.in-addr.arpa" IN {
>>>>type master;
>>>>file "69.28.36.db";
>>>>};
>>>>
>>>>zone "37.28.69.in-addr.arpa" IN {
>>>>type master;
>>>>file "69.28.37.db";
>>>>};
>>>>
>>>>zone "38.28.69.in-addr.arpa" IN {
>>>>type master;
>>>>file "69.28.38.db";
>>>>};
>>>>
>>>>zone "39.28.69.in-addr.arpa" IN {
>>>>type master;
>>>>file "69.28.39.db";
>>>>};
>>>>
>>>>zone "40.28.69.in-addr.arpa" IN {
>>>>type master;
>>>>file "69.28.40.db";
>>>>};
>>>>
>>>>zone "41.28.69.in-addr.arpa" IN {
>>>>type master;
>>>>file "69.28.41.db";
>>>>};
>>>>
>>>>zone "42.28.69.in-addr.arpa" IN {
>>>>type master;
>>>>file "69.28.42.db";
>>>>};
>>>>
>>>>zone "43.28.69.in-addr.arpa" IN {
>>>>type master;
>>>>file "69.28.43.db";
>>>>};
>>>>
>>>>zone "44.28.69.in-addr.arpa" IN {
>>>>type master;
>>>>file "69.28.44.db";
>>>>};
>>>>
>>>>zone "45.28.69.in-addr.arpa" IN {
>>>>type master;
>>>>file "69.28.45.db";
>>>>};
>>>>
>>>>zone "46.28.69.in-addr.arpa" IN {
>>>>type master;
>>>>file "69.28.46.db";
>>>>};
>>>>
>>>>zone "47.28.69.in-addr.arpa" IN {
>>>>type master;
>>>>file "69.28.47.db";
>>>>};
>>>>
>>>>
>>>>zone "172.229.216.in-addr.arpa" IN {
>>>>type master;
>>>>file "216.229.172.db";
>>>>};
>>>>
>>>>zone "birdshield.com" IN {
>>>>type master;
>>>>file "birdshield.com.db";
>>>>};
>>>>
>>>>zone "priorityterabit.com" IN {
>>>>type master;
>>>>file "priorityterabit.com.db";
>>>>};
>>>>
>>>>zone "arthurstephens.com" IN {
>>>>type master;
>>>>file "arthurstephens.com.db";
>>>>};
>>>>
>>>>zone "cvafoundation.org" IN {
>>>>type master;
>>>>file "cvafoundation.org.db";
>>>>};
>>>>
>>>>zone "guitarfranks.com" IN {
>>>>type master;
>>>>file "guitarfranks.com.db";
>>>>};
>>>>
>>>>zone "lwccspokane.org" IN {
>>>>type master;
>>>>file "lwccspokane.org.db";
>>>>};
>>>>
>>>>zone "impactspokane.com" IN {
>>>>type master;
>>>>file "impactspokane.com.db";
>>>>};
>>>>
>>>>zone "lindarosephoto.com" IN {
>>>>type master;
>>>>file "lindarosephoto.com.db";
>>>>};
>>>>
>>>>zone "tangleheart.com" IN {
>>>>type master;
>>>>file "tangleheart.com.db";
>>>>};
>>>>
>>>>zone "ubergeekinc.com" IN {
>>>>type master;
>>>>file "ubergeekinc.com.db";
>>>>};
>>>>
>>>>zone "aiin.com" IN {
>>>>type master;
>>>>file "aiin.com.db";
>>>>};
>>>>
>>>>
>>>>zone "spokanewines.com" IN {
>>>>type master;
>>>>file "spokanewines.com.db";
>>>>};
>>>>
>>>>zone "skilltran.net" IN {
>>>>type master;
>>>>file "skilltran.net.hosts";
>>>>};
>>>>
>>>>
>>>>};
>>>>
>>>>// Create a view for all clients perusing the CHAOS class.
>>>>// We allow internal hosts to query our version number.
>>>>// This is a good idea from a support point of view.
>>>>
>>>>view "external-chaos" chaos {
>>>>match-clients { any; };
>>>>recursion no;
>>>>
>>>>zone "." {
>>>>type hint;
>>>>file "/dev/null";
>>>>};
>>>>
>>>>zone "bind" {
>>>>type master;
>>>>file "db.bind";
>>>>
>>>>allow-query {
>>>>trusted;
>>>>};
>>>>allow-transfer {
>>>>none;
>>>>};
>>>>};
>>>>
>>>>
>>>>};
>
>
More information about the bind-users
mailing list