bind 9 goes rogue and revert zone information

Warren Kumari warren at kumari.net
Tue Feb 7 21:43:08 UTC 2017 

This really sounds like the zone file is *in* the container itself, and
that the container is restarting.
You said that this is running under LXC -- is this actually a Docker
container? How are you starting the container?

W


On Tue, Feb 7, 2017 at 11:35 AM, Raul Dias <raul at dias.com.br> wrote:

> I know.
>
> So far, the only files changed are the ones I changed myself, like bind
> config files and vimrc.
>
> No hidden toolkit found too.
>
> I still think that it is easier to be a misconfiguration done by myself.
>
> Still looking for better indications that this could be the case.
>
> On 07/02/2017 12:42, Alberto Colosi wrote:
>
> IP ports not open does not mean is not hacked.
>
> a vulnerability can be used to make a change or an access
>
>
> try to change and audit file access and permission firewall log analisys
> can give a plus to find a solution (check all IP traffic out from TCP/UDP
> 53)
>
>
> If you have RNDC , change KEY or disable it
>
>
>
>
> ------------------------------
> *From:* Raul Dias <raul at dias.com.br> <raul at dias.com.br>
> *Sent:* Tuesday, February 7, 2017 3:34 PM
> *To:* Alberto Colosi; bind-users at lists.isc.org
> *Subject:* Re: bind 9 goes rogue and revert zone information
>
>
> Sorry,
> Static files.
> It is the master server.
> No dynamic updates.
> Host under lxc with only bind ports open.
>
> On Tue, Feb 7, 2017, 12:27 Alberto Colosi <alcol at hotmail.com> wrote:
>
>> hi is unclear named structure if is a slave a master if dynamic updates
>> are enabled and if the unix box has been hacked
>>
>> as last , zones are static files on fs ?
>>
>>
>> ------------------------------
>> *From:* bind-users <bind-users-bounces at lists.isc.org> on behalf of Raul
>> Dias < <raul at dias.com.br>raul at dias.com.br>
>> *Sent:* Tuesday, February 7, 2017 3:03 PM
>> *To:* <bind-users at lists.isc.org>bind-users at lists.isc.org
>> *Subject:* bind 9 goes rogue and revert zone information
>>
>> Hello,
>>
>> I have a very strange behavior that I am failing to understand.
>>
>> 2 to 5 times a week, a named server revert back to a previous version os
>> a master zone.
>> This happens during the night, usually around 20h EST.
>>
>> This zone has a serial of 3017020401 <(301)%20702-0401> (yes, I typo the
>> 3 somewhere in the
>> past).
>> When it reverts its zone information, it goes back to 3016060101
>> <(301)%20606-0101>.
>>
>> I have updated, restarted the host, clean all cache and journal files,
>> grep all files in the host for 3016060101 <(301)%20606-0101> (just shows
>> up in the logs).
>>
>> So, I have no clue why, or how it is happening. Where does it get the
>> old information.
>>
>> I thought first about the serial, but it would have happened in the past
>> too, right?  As it should be a 32bit unsigned integer, it shouldn't be a
>> problem, IMHO.
>>
>> Yet, when "dig domain -t SOA @server", it is there again.
>>
>> The host is a debian Jessie and bind is 9.9.5, 1:9.9.5.dfsg-9+deb8u8
>> more specifically.
>>
>>
>> Thanks for any direction.
>> -rsd
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>> bind-users Info Page - Internet Systems Consortium
>> <https://lists.isc.org/mailman/listinfo/bind-users>
>> lists.isc.org
>> To see the collection of prior postings to the list, visit the bind-users
>> Archives. Using bind-users: To post a message to all the list members, send
>> ...
>>
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>> bind-users Info Page - Internet Systems Consortium
>> <https://lists.isc.org/mailman/listinfo/bind-users>
>> lists.isc.org
>> To see the collection of prior postings to the list, visit the bind-users
>> Archives. Using bind-users: To post a message to all the list members, send
>> ...
>>
>>
> --
> Att. Raul Dias
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20170207/cd9dfc1c/attachment-0001.html>

More information about the bind-users mailing list