Protecting bind from DNS cache poisoning!!!
Torsten
toto at the-damian.de
Mon Aug 9 12:36:36 UTC 2010
Am Mon, 09 Aug 2010 14:08:26 +0200
schrieb Wolfgang Solfrank <Wolfgang at Solfrank.net>:
> >>> Allow bind to use as wide a range of port numbers as possible for
> >>> UDP traffic.
> >
> > On 09.08.10 17:14, Shiva Raman wrote:
> >> Yes this is allowed in the firewall.
> >
> > note that bind also should not have "port" potion in query-source
> > statement.
>
> In addition, be carefull with the use of NAT on your firewall. This
> will probably unrandomize the port numbers on your outgoing requests.
>
> Ciao,
> Wolfgang
Port deviation could easily be tested via porttest.dns-oarc.net
dig +short @127.0.0.1 porttest.dns-oarc.net txt
porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"195.180.9.198 is GREAT: 53 queries in 9.1 seconds from 53 ports with
std dev 19687"
Every result other than "GREAT" should alert you.
Also, checking wether DNSSEC is working or not, send a recursing querie
to your resolver and check the returned flags for ad.
[toto at daddelkiste ~]$ dig +dnssec @127.0.0.1 iis.se a
; <<>> DiG 9.6.2-P2-RedHat-9.6.2-5.P2.fc12 <<>> +dnssec @127.0.0.1
iis.se a ; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12422
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;iis.se. IN A
;; ANSWER SECTION:
iis.se. 21 IN A
212.247.7.218 iis.se. 21 IN
RRSIG A 5 2 60 20100815115001 20100805115001 53249 iis.se.
pWMYsqufhD4RkHX6IltLOcxMob3rNpc1+UnXZKgOMsO5HgbtIjALoq9+
ReqKziKev3PiEBLNdqrxT95TVlzVb7qgnLmlHABsap7m2uzuHFQKsFmh
RGxqpiuzu9bPEIfZKout4TmzILaP1Nua4ntSXyyjS35EUszfX+F/Mqrm fcc=
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug 9 14:35:37 2010
;; MSG SIZE rcvd: 217
Ciao
Torsten
More information about the bind-users
mailing list