Secure Bind 9 Example
Bind 9.2.1. example
Since I went on the internet i have always run my own set of
DNS name servers. Handing over the DNS nameservice of your
own domain to a 3rd party, like e.g. some ISP, is the same
as handing out your passport at the Hotel desk when on holiday.
However holidays don't last for ever, and likewise running your
DNS service outdoors with a 3rd party you not really know should
not last longer as your holiday season.
Fred N. van Kempen went even as far to claim that he will not
accept a Internet DSL offering if he is not able to run his
own reverse DNS on the set of ip-numbers which come with
that DSL offering.
And how right on the money he is, as today the MOSSAD and related
secret services have started to harass certain domain names
by subdueing its DNS nameservice.
From email@example.com Fri Nov 22 07:17:41 2002 +0100
Date: Fri, 22 Nov 2002 07:17:41 +0100 (CET)
From: "Robert M. Stockmann"
Subject: simple bind 9.2.1 example
Content-Type: TEXT/PLAIN; charset=US-ASCII
I just read your article
"Caught in a BIND"
Where you state the following :
"If you're saddled with an old version, take heart. With the latest
security holes, the programs are vulnerable only when acting as
recursive name servers. In brief, this means that the holes only
affect servers that can look up any address on the Internet. Your
name servers should not respond to such requests from external
addresses anyway: to do so opens the door to DNS cache poisoning
attacks. Your name servers should respond only to authoritative
requests from outside your network, and allow recursion only within
Sadly, most BIND configurations will allow recursion from any
address -- that's the default configuration of BIND, another
situation that the Internet Software Consortium should resolve.
When the Internet was designed, nobody imagined swarms of thousands
of six-foot-tall jet-black stealth woodpeckers. Today they're here,
and it's time our architects took the woodpeckers into account."
Well allthough i agree with you, here's a example where DNS admins with
basic skills could easily generate and figure out how to make their
setups secure :
Your conclusion which states transitioning to bind 9 is painfull is IMHO
not true, but merely a matter of having accessable documentation with
Robert M. Stockmann - RHCE
Network Engineer - UNIX Consultant
From firstname.lastname@example.org Fri Nov 22 15:40:19 2002
Received: (qmail 4671 invoked from network); 22 Nov 2002 15:40:16 -0000
Received: from leapfrog.baltimorons.org (?fc5qMAgN9hsoYb//m/bihz5waTgrnFjwemail@example.com)
by stock.xs4all.nl with SMTP; 22 Nov 2002 15:40:16 -0000
Received: (from jon@localhost)
by leapfrog.baltimorons.org (8.11.6/8.11.6) id gAMFfnN24404
for firstname.lastname@example.org; Fri, 22 Nov 2002 10:41:49 -0500
Date: Fri, 22 Nov 2002 10:41:49 -0500
From: "J. Lasser"
To: "Robert M. Stockmann"
Subject: Re: simple bind 9.2.1 example
Content-Type: text/plain; charset=us-ascii
X-AntiVirus: scanned for viruses by AMaViS 0.2.2 (http://amavis.org/)
In the wise words of Robert M. Stockmann:
> Your conclusion which states transitioning to bind 9 is painfull is IMHO
> not true, but merely a matter of having accessable documentation with
> usefull examples.
It's painful for ISPs, like the one I worked at with 10,000 zone
records. Each of which was broken.
It's also painful if you have only ten or twenty zone records with
various errors and not a lot of time.
Thanks for your note --- it's always good to hear from readers!
Home: email@example.com | Work:firstname.lastname@example.org
http://www.tux.org/~lasser/ | http://www.cluestickconsulting.com
Buy my book, _Think_Unix_! http://www.tux.org/~lasser/think-unix/
 DNS and BIND, Fourth Edition
by Paul Albitz (Author), Cricket Liu
Paperback: 622 pages
Publisher: O'Reilly Media, Inc.; 4 edition (April 16, 2001)