bind 9 goes rogue and revert zone information
Raul Dias
raul at dias.com.br
Tue Feb 7 16:35:57 UTC 2017
I know.
So far, the only files changed are the ones I changed myself, like bind
config files and vimrc.
No hidden toolkit found too.
I still think that it is easier to be a misconfiguration done by myself.
Still looking for better indications that this could be the case.
On 07/02/2017 12:42, Alberto Colosi wrote:
>
> IP ports not open does not mean is not hacked.
>
> a vulnerability can be used to make a change or an access
>
>
> try to change and audit file access and permission firewall log
> analisys can give a plus to find a solution (check all IP traffic out
> from TCP/UDP 53)
>
>
> If you have RNDC , change KEY or disable it
>
>
>
>
> ------------------------------------------------------------------------
> *From:* Raul Dias <raul at dias.com.br>
> *Sent:* Tuesday, February 7, 2017 3:34 PM
> *To:* Alberto Colosi; bind-users at lists.isc.org
> *Subject:* Re: bind 9 goes rogue and revert zone information
>
> Sorry,
> Static files.
> It is the master server.
> No dynamic updates.
> Host under lxc with only bind ports open.
>
>
> On Tue, Feb 7, 2017, 12:27 Alberto Colosi <alcol at hotmail.com
> <mailto:alcol at hotmail.com>> wrote:
>
> hi is unclear named structure if is a slave a master if dynamic
> updates are enabled and if the unix box has been hacked
>
> as last , zones are static files on fs ?
>
>
>
> ------------------------------------------------------------------------
> *From:* bind-users <bind-users-bounces at lists.isc.org
> <mailto:bind-users-bounces at lists.isc.org>> on behalf of Raul Dias
> <raul at dias.com.br <mailto:raul at dias.com.br>>
> *Sent:* Tuesday, February 7, 2017 3:03 PM
> *To:* bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>
> *Subject:* bind 9 goes rogue and revert zone information
> Hello,
>
> I have a very strange behavior that I am failing to understand.
>
> 2 to 5 times a week, a named server revert back to a previous
> version os
> a master zone.
> This happens during the night, usually around 20h EST.
>
> This zone has a serial of 3017020401 (yes, I typo the 3 somewhere
> in the
> past).
> When it reverts its zone information, it goes back to 3016060101.
>
> I have updated, restarted the host, clean all cache and journal
> files,
> grep all files in the host for 3016060101 (just shows up in the logs).
>
> So, I have no clue why, or how it is happening. Where does it get the
> old information.
>
> I thought first about the serial, but it would have happened in
> the past
> too, right? As it should be a 32bit unsigned integer, it
> shouldn't be a
> problem, IMHO.
>
> Yet, when "dig domain -t SOA @server", it is there again.
>
> The host is a debian Jessie and bind is 9.9.5, 1:9.9.5.dfsg-9+deb8u8
> more specifically.
>
>
> Thanks for any direction.
> -rsd
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> bind-users Info Page - Internet Systems Consortium
> <https://lists.isc.org/mailman/listinfo/bind-users>
> lists.isc.org <http://lists.isc.org>
> To see the collection of prior postings to the list, visit the
> bind-users Archives. Using bind-users: To post a message to all
> the list members, send ...
>
>
>
> bind-users mailing list
> bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>
> https://lists.isc.org/mailman/listinfo/bind-users
> bind-users Info Page - Internet Systems Consortium
> <https://lists.isc.org/mailman/listinfo/bind-users>
> lists.isc.org <http://lists.isc.org>
> To see the collection of prior postings to the list, visit the
> bind-users Archives. Using bind-users: To post a message to all
> the list members, send ...
>
>
--
Att. Raul Dias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20170207/1d9ef17d/attachment-0001.html>
More information about the bind-users
mailing list