Re: Protecting bind from DNS cache poisoning!!!
Hi Thanks for your valuable suggestions Run an up-to-date version of bind. Be fanatical about applying security patches promptly. Yes , i am running the latest version Bind-9.7.1-P2. Don't allow recursion /at all/ for queries from the general public to your authoritative servers, nor permit authoritative servers to send additional data from cache. I am running separate caching and authoritative servers. As suggested by you, i had disabled recursion to for the authoritative servers. Permit only your trusted clients to make recursive queries through your recursive servers. Yes, in caching servers, i have only enabled recursion for our trusted clients. If you have sufficient DNS traffic to warrant it, it is very good to run completely separate instances of bind as authoritative and recursive servers -- use of virtualization techniques like FreeBSD jails can help reduce hardware costs. Yes, i am running separate instances of authoritative and recursive servers. Allow bind to use as wide a range of port numbers as possible for UDP traffic. Yes this is allowed in the firewall. Make sure your firewalls don't do daft things like forcing any DNS traffic to come from a limited range of source ports, or blocking large UDP packets or EDNS. Allow DNS queries over TCP as well as UDP. Yes in firewall , both TCP and UDP DNS queries are allowed. Implement DNSSEC. I tried implementing dnssec using the following document http://blog.dustintrammell.com/2008/08/01/configuring-dnssec-in-bind/ After modifying named.conf for recursive server, i restarted named. Now named is working with dnssec enabled .But i am not able to verify the same. Kindly let me know how can we verify that dnssec is enabled and running , from the logs. Thanks in advance. Shiva Raman ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Protecting bind from DNS cache poisoning!!!
Allow bind to use as wide a range of port numbers as possible for UDP traffic. On 09.08.10 17:14, Shiva Raman wrote: Yes this is allowed in the firewall. note that bind also should not have port potion in query-source statement. Make sure your firewalls don't do daft things like forcing any DNS traffic to come from a limited range of source ports, or blocking large UDP packets or EDNS. Allow DNS queries over TCP as well as UDP. Yes in firewall , both TCP and UDP DNS queries are allowed. allowed is one part, not to have broken firewalls that inspect (and break) DNS packets is another one. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I drive way too fast to worry about cholesterol. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Protecting bind from DNS cache poisoning!!!
Allow bind to use as wide a range of port numbers as possible for UDP traffic. On 09.08.10 17:14, Shiva Raman wrote: Yes this is allowed in the firewall. note that bind also should not have port potion in query-source statement. In addition, be carefull with the use of NAT on your firewall. This will probably unrandomize the port numbers on your outgoing requests. Ciao, Wolfgang -- wolfg...@solfrank.net Wolfgang Solfrank ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Protecting bind from DNS cache poisoning!!!
Am Mon, 09 Aug 2010 14:08:26 +0200 schrieb Wolfgang Solfrank wolfg...@solfrank.net: Allow bind to use as wide a range of port numbers as possible for UDP traffic. On 09.08.10 17:14, Shiva Raman wrote: Yes this is allowed in the firewall. note that bind also should not have port potion in query-source statement. In addition, be carefull with the use of NAT on your firewall. This will probably unrandomize the port numbers on your outgoing requests. Ciao, Wolfgang Port deviation could easily be tested via porttest.dns-oarc.net dig +short @127.0.0.1 porttest.dns-oarc.net txt porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net. 195.180.9.198 is GREAT: 53 queries in 9.1 seconds from 53 ports with std dev 19687 Every result other than GREAT should alert you. Also, checking wether DNSSEC is working or not, send a recursing querie to your resolver and check the returned flags for ad. [t...@daddelkiste ~]$ dig +dnssec @127.0.0.1 iis.se a ; DiG 9.6.2-P2-RedHat-9.6.2-5.P2.fc12 +dnssec @127.0.0.1 iis.se a ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 12422 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;iis.se.IN A ;; ANSWER SECTION: iis.se. 21 IN A 212.247.7.218 iis.se. 21 IN RRSIG A 5 2 60 20100815115001 20100805115001 53249 iis.se. pWMYsqufhD4RkHX6IltLOcxMob3rNpc1+UnXZKgOMsO5HgbtIjALoq9+ ReqKziKev3PiEBLNdqrxT95TVlzVb7qgnLmlHABsap7m2uzuHFQKsFmh RGxqpiuzu9bPEIfZKout4TmzILaP1Nua4ntSXyyjS35EUszfX+F/Mqrm fcc= ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Aug 9 14:35:37 2010 ;; MSG SIZE rcvd: 217 Ciao Torsten ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Protecting bind from DNS cache poisoning!!!
On Mon, 9 Aug 2010, Shiva Raman wrote: I tried implementing dnssec using the following document http://blog.dustintrammell.com/2008/08/01/configuring-dnssec-in-bind/ That is rather out of date: it does not cover some important BIND-9.7 DNSSEC validation features, specifically RFC 5011 automatic trust anchor rollover, and it does not explain how to install the root trust anchor. Also you do not need to explicitly turn on DNSSEC validation: it is on by default but only works if you have configured one or more trust anchors. Here is my recent how-to: http://fanf.livejournal.com/107310.html Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ NORTH FITZROY SOLE: WEST OR SOUTHWEST, BECOMING CYCLONIC IN SOLE, 4 OR 5, INCREASING 5 TO 7. MODERATE OR ROUGH. RAIN. MODERATE OR GOOD, OCCASIONALLY POOR. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Protecting bind from DNS cache poisoning!!!
Dear All I am running Bind caching and bind authoritative servers with current 9.7 version. I would like to know the steps to be followed to protect bind from DNS Cache poisoning. The bind DNS server is running behind the firewall which allows only DNS queries . kindly share your views. Thanks in advance. Shiva Raman ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Protecting bind from DNS cache poisoning!!!
On 08/08/2010 11:29:52, Shiva Raman wrote: I am running Bind caching and bind authoritative servers with current 9.7 version. I would like to know the steps to be followed to protect bind from DNS Cache poisoning. The bind DNS server is running behind the firewall which allows only DNS queries . Run an up-to-date version of bind. Be fanatical about applying security patches promptly. Don't allow recursion /at all/ for queries from the general public to your authoritative servers, nor permit authoritative servers to send additional data from cache. Permit only your trusted clients to make recursive queries through your recursive servers. If you have sufficient DNS traffic to warrant it, it is very good to run completely separate instances of bind as authoritative and recursive servers -- use of virtualization techniques like FreeBSD jails can help reduce hardware costs. Otherwise, make use of the views feature to control who may or may not perform recursive queries via your servers. Allow bind to use as wide a range of port numbers as possible for UDP traffic. Make sure your firewalls don't do daft things like forcing any DNS traffic to come from a limited range of source ports, or blocking large UDP packets or EDNS. Allow DNS queries over TCP as well as UDP. Implement DNSSEC. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users