Greetings Jason: On Thu, Sep 6, 2018, 4:38 PM jmitchel <jmitc...@bigjar.com> wrote:
> On 2018-09-06 16:21, jmitchel wrote: > > Hello, > > > > I know this is a somewhat annoying question, because it's very broad > > and the server's out of date, but am I going to get in trouble using > > the version of BIND that came with NetBSD 6.1.4. Here's the info: > > > > Karma:/etc/namedb# uname -a > > NetBSD Karma 6.1.4 NetBSD 6.1.4 (GENERIC) i386 > > Karma:/etc/namedb# named -V > > BIND 9.9.2-P1 built with defaults > > using OpenSSL version: OpenSSL 1.0.1g 7 Apr 2014 > > > > The box will be answering queries from a cached version of the Windows > > DNS domain, and will also be used to forward all non-local lookups to > > OpenDNS. It is behind a SonicWall firewall and there isn't any direct > > access to port 53 (either TCP or UDP) from the Internet. What are the > > odds the server will be okay? > > > > I know I should just install the latest version, but I'm under the gun > > as we've just realized that there are about 400 "Malware" DNS queries > > per day and I'm worried about what's installed on what computers and > > want to know which ones are infected ASAP. > > > I'd reconsider introducing another host running internet connected services that you have to manage when the internal environment isn't well behaved. By all means run NetBSD at every opportunity, but _not_ "under the gun". May I respectfully suggest: * Update the Sonicwall. * Turn on the Intrusion Detection & Prevention features to high levels. * Configure Sonicwall' s DNS proxy to lookup @ the provider of your choice. * Configure the Windows DNS server conditional forwarders to send all non-local queries to the Sonicwall. * Monitor your logs and start your cleanup. * Tune the logs to reduce unnecessary messages. * Look for opportunities to plan and deploy NetBSD in the organization. Perhaps as the heart of your new Security Information & Event Management initiative? Same results, one less host to attack. I never let AD DNS servers resolve queries for other than their own zones. Always forwarded to public providers or ISP. Firewall rules in place accordingly. > Thanks in advance for reading and any help you can provide. > > > > Jason M. > > Never mind (I think). I checked pkgsrc before writing this, but didn't > check the right directory. I just found bind-9.10.8pl1nb1 and will use > that. But if there's any reason I should be wary with the newer > software, please let me know. > > Thanks, > > Jason M. > Best of luck to your efforts. Tom S. >
