Re: Secure Bind DNS server problem
This is a discussion on Re: Secure Bind DNS server problem within the Bind Users forums, part of the DNS and Related Forums category; This is a simpler problem. None of the IP addresses in the complaint is 'trusted'. Tim Peiffer acl "trusted&...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
04-20-2005
|
|||
|
|||
Re: Secure Bind DNS server problem
This is a simpler problem. None of the IP addresses in the complaint is
'trusted'. Tim Peiffer acl "trusted" { // Place our internal and DMZ subnets in here so that // intranet and DMZ clients may send DNS queries. This // also prevents outside hosts from using our name server // as a resolver for other domains. 216.229.171.0/24; 69.28.32.0/20; localhost; }; allow-query { // Accept queries from our "trusted" ACL. We will // allow anyone to query our master zones below. // This prevents us from becoming a free DNS server // to the masses. trusted; }; Sam wrote: >0.0.0.0/8; <- maybe this is hosing up BIND? > >Sam > > >"Arthur Stephens" <astephens@ptera.net> wrote in message >news:d41kit$1pfg$1@sf1.isc.org... > > >>I am trying to secure my DNS BIND version 9.2.5 servers so I found this >>template >> Secure BIND Template Version 4.8 12 APR 2005 >> By Rob Thomas, robt at cymru.com >>After disabling these that complained at startup... >> >>//pid-file "/var/named/named.pid"; >>//memstatistics-file "/var/named/named.memstats"; >> >>I got the server up and running. And successfully tested from inside. >>But I noticed these in the logs right away. >> >>Apr 18 13:46:11 daffy named[24498]: client 71.4.246.96#32770: query >>'ptera.net/IN' denied >>Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query >>'mail.aiin.com/IN' denied >>Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query >>'mail.aiin.com/IN' denied >>Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query >>'dns2.ptera.net/IN' denied >>Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query >>'dns2.ptera.net/IN' denied >>Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query >>'dns.ptera.net/IN' denied >>Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query >>'dns.ptera.net/IN' denied >>Apr 18 13:46:36 daffy named[24498]: client 67.19.0.13#53: query >>'aiin.com/IN' denied >> >>This was not good. I then tried using tools at http://www.dnsstuff.com/ >> >>It returned that the DNS server refused to resolve the names. This is >>bad because it means that people legitimately trying to get to >>mail.aiin.com etc. couldn't. Just in case here is the db file for aiin.com >> >>$ORIGIN . >>$TTL 86400 ; 1 day >>aiin.com IN SOA aiin.com. hostmaster.aain.com. ( >> 2004111602 ; serial >> 10800 ; refresh (3 hours) >> 3600 ; retry (1 hour) >> 604800 ; expire (1 week) >> 86400 ; minimum (1 day) >> ) >> IN NS dns.ptera.net. >> IN NS dns2.ptera.net. >> IN A 216.255.223.207 >> IN MX 10 mail.aiin.com. >>$ORIGIN aiin.com. >>mail IN A 69.28.41.3 >>www IN A 216.255.223.207 >> >>As you can see their web server is hosted outside of our network but >>their mail server is inside of our network. This worked before. >> >>Can anyone look at the named.conf file below and tell me where I missed? >> >>-- >>Arthur Stephens >>Senior Sales Technician >>Ptera Wireless Internet >>astephens@ptera.net >>509-927-Ptera >> >>// @(#)named.conf 02 OCT 2001 Rob Thomas robt@cymru.com >>// Set up our ACLs >>// In BIND 8, ACL names with quotes were treated as different from >>// the same name without quotes. In BIND 9, both are treated as >>// the same. >>acl "xfer" { >>216.229.160.10; >>216.229.168.10; >>64.35.138.13; >>64.35.144.4; >>69.28.32.10; >>69.28.32.11; >>69.28.32.15; >>69.28.32.17; >>69.28.32.9; >>69.28.32.6; >>// Allow no transfers. If we have other >>// name servers, place them here. >>// Note that in the Netherlands, for example, >>// the TLD servers 193.176.144.2, 194.53.253.100, and 193.176.144.128/28 >>// are allowed to perform zone tranfers from the domains under .nl. The >>// RIPE NCC had requested in the past that reverse (in-addr.arpa) zones >>// permit zone transfer requests from 193.0.0.0/23. >>}; >> >>acl "trusted" { >> >> >>// Place our internal and DMZ subnets in here so that >>// intranet and DMZ clients may send DNS queries. This >>// also prevents outside hosts from using our name server >>// as a resolver for other domains. >>216.229.171.0/24; >>69.28.32.0/20; >>localhost; >> >> >>}; >> >>acl "bogon" { >>// Filter out the bogon networks. These are networks >>// listed by IANA as test, RFC1918, Multicast, experi- >>// mental, etc. If you see DNS queries or updates with >>// a source address within these networks, this is likely >>// of malicious origin. CAUTION: If you are using RFC1918 >>// netblocks on your network, remove those netblocks from >>// this list of blackhole ACLs! >>0.0.0.0/8; >>1.0.0.0/8; >>2.0.0.0/8; >>5.0.0.0/8; >>7.0.0.0/8; >>10.0.0.0/8; >>23.0.0.0/8; >>27.0.0.0/8; >>31.0.0.0/8; >>36.0.0.0/8; >>37.0.0.0/8; >>39.0.0.0/8; >>42.0.0.0/8; >>49.0.0.0/8; >>50.0.0.0/8; >>74.0.0.0/8; >>75.0.0.0/8; >>76.0.0.0/8; >>77.0.0.0/8; >>78.0.0.0/8; >>79.0.0.0/8; >>89.0.0.0/8; >>90.0.0.0/8; >>91.0.0.0/8; >>92.0.0.0/8; >>93.0.0.0/8; >>94.0.0.0/8; >>95.0.0.0/8; >>96.0.0.0/8; >>97.0.0.0/8; >>98.0.0.0/8; >>99.0.0.0/8; >>100.0.0.0/8; >>101.0.0.0/8; >>102.0.0.0/8; >>103.0.0.0/8; >>104.0.0.0/8; >>105.0.0.0/8; >>106.0.0.0/8; >>107.0.0.0/8; >>108.0.0.0/8; >>109.0.0.0/8; >>110.0.0.0/8; >>111.0.0.0/8; >>112.0.0.0/8; >>113.0.0.0/8; >>114.0.0.0/8; >>115.0.0.0/8; >>116.0.0.0/8; >>117.0.0.0/8; >>118.0.0.0/8; >>119.0.0.0/8; >>120.0.0.0/8; >>121.0.0.0/8; >>122.0.0.0/8; >>123.0.0.0/8; >>169.254.0.0/16; >>172.16.0.0/12; >>173.0.0.0/8; >>174.0.0.0/8; >>175.0.0.0/8; >>176.0.0.0/8; >>177.0.0.0/8; >>178.0.0.0/8; >>179.0.0.0/8; >>180.0.0.0/8; >>181.0.0.0/8; >>182.0.0.0/8; >>183.0.0.0/8; >>184.0.0.0/8; >>185.0.0.0/8; >>186.0.0.0/8; >>187.0.0.0/8; >>189.0.0.0/8; >>190.0.0.0/8; >>192.0.2.0/24; >>192.168.0.0/16; >>197.0.0.0/8; >>223.0.0.0/8; >>224.0.0.0/3; >>}; >> >> >>logging { >> >> >>channel "default_syslog" { >>// Send most of the named messages to syslog. >>syslog local2; >>severity debug; >>}; >> >>channel audit_log { >>// Send the security related messages to a separate file. >>file "/var/named/bind/named.log"; >>severity debug; >>print-time yes; >>}; >> >>category default { default_syslog; }; >>category general { default_syslog; }; >>category security { audit_log; default_syslog; }; >>category config { default_syslog; }; >>category resolver { audit_log; }; >>category xfer-in { audit_log; }; >>category xfer-out { audit_log; }; >>category notify { audit_log; }; >>category client { audit_log; }; >>category network { audit_log; }; >>category update { audit_log; }; >>category queries { audit_log; }; >>category lame-servers { audit_log; }; >> >> >>}; >> >>// Set options for security >>options { >>directory "/var/named"; >>//pid-file "/var/named/named.pid"; >>statistics-file "/var/named/named.stats"; >>//memstatistics-file "/var/named/named.memstats"; >>dump-file "/var/adm/named.dump"; >>zone-statistics yes; >> >>// Prevent DoS attacks by generating bogus zone transfer >>// requests. This will result in slower updates to the >>// slave servers (e.g. they will await the poll interval >>// before checking for updates). >>notify no; >> >>// Generate more efficient zone transfers. This will place >>// multiple DNS records in a DNS message, instead of one per >>// DNS message. >>transfer-format many-answers; >> >>// Set the maximum zone transfer time to something more >>// reasonable. In this case, we state that any zone transfer >>// that takes longer than 60 minutes is unlikely to ever >>// complete. WARNING: If you have very large zone files, >>// adjust this to fit your requirements. >>max-transfer-time-in 60; >> >>// We have no dynamic interfaces, so BIND shouldn't need to >>// poll for interface state {UP|DOWN}. >>interface-interval 0; >> >>allow-transfer { >>// Zone tranfers limited to members of the >>// "xfer" ACL. >>xfer; >>}; >> >>allow-query { >>// Accept queries from our "trusted" ACL. We will >>// allow anyone to query our master zones below. >>// This prevents us from becoming a free DNS server >>// to the masses. >>trusted; >>}; >> >>blackhole { >>// Deny anything from the bogon networks as >>// detailed in the "bogon" ACL. >>bogon; >>}; >>}; >> >> >>view "internal-in" in { >>// Our internal (trusted) view. We permit the internal networks >>// to freely access this view. We perform recursion for our >>// internal hosts, and retrieve data from the cache for them. >> >>match-clients { trusted; }; >>recursion yes; >>additional-from-auth yes; >>additional-from-cache yes; >> >>zone "." IN { >>type hint; >>file "named.ca"; >>}; >> >>zone "localhost" IN { >>type master; >>file "localhost.zone"; >>allow-update { none; }; >>}; >> >>zone "0.0.127.in-addr.arpa" in { >>// Allow queries for the 127/8 network, but not zone transfers. >>// Every name server, both slave and master, will be a master >>// for this zone. >>type master; >>file "named.local"; >> >>allow-query { >>any; >>}; >> >>allow-transfer { >>none; >>}; >>}; >> >>zone "tylite.com" IN { >>type master; >>file "tylite.com.db"; >>}; >> >>zone "ptera.net" IN { >>type master; >>file "ptera.net.db"; >>}; >> >>zone "32.28.69.in-addr.arpa" IN { >>type master; >>file "69.28.32.db"; >>}; >> >>zone "33.28.69.in-addr.arpa" IN { >>type master; >>file "69.28.33.db"; >>}; >>zone "34.28.69.in-addr.arpa" IN { >>type master; >>file "69.28.34.db"; >>}; >> >>zone "35.28.69.in-addr.arpa" IN { >>type master; >>file "69.28.35.db"; >>}; >> >>zone "36.28.69.in-addr.arpa" IN { >>type master; >>file "69.28.36.db"; >>}; >> >>zone "37.28.69.in-addr.arpa" IN { >>type master; >>file "69.28.37.db"; >>}; >> >>zone "38.28.69.in-addr.arpa" IN { >>type master; >>file "69.28.38.db"; >>}; >> >>zone "39.28.69.in-addr.arpa" IN { >>type master; >>file "69.28.39.db"; >>}; >> >>zone "40.28.69.in-addr.arpa" IN { >>type master; >>file "69.28.40.db"; >>}; >> >>zone "41.28.69.in-addr.arpa" IN { >>type master; >>file "69.28.41.db"; >>}; >> >>zone "42.28.69.in-addr.arpa" IN { >>type master; >>file "69.28.42.db"; >>}; >> >>zone "43.28.69.in-addr.arpa" IN { >>type master; >>file "69.28.43.db"; >>}; >> >>zone "44.28.69.in-addr.arpa" IN { >>type master; >>file "69.28.44.db"; >>}; >> >>zone "45.28.69.in-addr.arpa" IN { >>type master; >>file "69.28.45.db"; >>}; >> >>zone "46.28.69.in-addr.arpa" IN { >>type master; >>file "69.28.46.db"; >>}; >> >>zone "47.28.69.in-addr.arpa" IN { >>type master; >>file "69.28.47.db"; >>}; >> >> >>zone "172.229.216.in-addr.arpa" IN { >>type master; >>file "216.229.172.db"; >>}; >> >>zone "birdshield.com" IN { >>type master; >>file "birdshield.com.db"; >>}; >> >>zone "priorityterabit.com" IN { >>type master; >>file "priorityterabit.com.db"; >>}; >> >>zone "arthurstephens.com" IN { >>type master; >>file "arthurstephens.com.db"; >>}; >> >>zone "cvafoundation.org" IN { >>type master; >>file "cvafoundation.org.db"; >>}; >> >>zone "guitarfranks.com" IN { >>type master; >>file "guitarfranks.com.db"; >>}; >> >>zone "lwccspokane.org" IN { >>type master; >>file "lwccspokane.org.db"; >>}; >> >>zone "impactspokane.com" IN { >>type master; >>file "impactspokane.com.db"; >>}; >> >>zone "tangleheart.com" IN { >>type master; >>file "tangleheart.com.db"; >>}; >> >>zone "ubergeekinc.com" IN { >>type master; >>file "ubergeekinc.com.db"; >>}; >> >>zone "aiin.com" IN { >>type master; >>file "aiin.com.db"; >>}; >> >> >>zone "spokanewines.com" IN { >>type master; >>file "spokanewines.com.db"; >>}; >> >>zone "skilltran.net" IN { >>type master; >>file "skilltran.net.hosts"; >>}; >> >> >>}; >> >>// Create a view for external DNS clients. >>view "external-in" in { >>// Our external (untrusted) view. We permit any client to access >>// portions of this view. We do not perform recursion or cache >>// access for hosts using this view. >> >>match-clients { any; }; >>recursion no; >>additional-from-auth no; >>additional-from-cache no; >> >>// Link in our zones >>zone "." in { >>type hint; >>file "named.ca"; >>}; >> >>zone "tylite.com" IN { >>type master; >>file "tylite.com.db"; >>}; >> >>zone "ptera.net" IN { >>type master; >>file "ptera.net.db"; >>}; >> >>zone "32.28.69.in-addr.arpa" IN { >>type master; >>file "69.28.32.db"; >>}; >> >>zone "33.28.69.in-addr.arpa" IN { >>type master; >>file "69.28.33.db"; >>}; >>zone "34.28.69.in-addr.arpa" IN { >>type master; >>file "69.28.34.db"; >>}; >> >>zone "35.28.69.in-addr.arpa" IN { >>type master; >>file "69.28.35.db"; >>}; >> >>zone "36.28.69.in-addr.arpa" IN { >>type master; >>file "69.28.36.db"; >>}; >> >>zone "37.28.69.in-addr.arpa" IN { >>type master; >>file "69.28.37.db"; >>}; >> >>zone "38.28.69.in-addr.arpa" IN { >>type master; >>file "69.28.38.db"; >>}; >> >>zone "39.28.69.in-addr.arpa" IN { >>type master; >>file "69.28.39.db"; >>}; >> >>zone "40.28.69.in-addr.arpa" IN { >>type master; >>file "69.28.40.db"; >>}; >> >>zone "41.28.69.in-addr.arpa" IN { >>type master; >>file "69.28.41.db"; >>}; >> >>zone "42.28.69.in-addr.arpa" IN { >>type master; >>file "69.28.42.db"; >>}; >> >>zone "43.28.69.in-addr.arpa" IN { >>type master; >>file "69.28.43.db"; >>}; >> >>zone "44.28.69.in-addr.arpa" IN { >>type master; >>file "69.28.44.db"; >>}; >> >>zone "45.28.69.in-addr.arpa" IN { >>type master; >>file "69.28.45.db"; >>}; >> >>zone "46.28.69.in-addr.arpa" IN { >>type master; >>file "69.28.46.db"; >>}; >> >>zone "47.28.69.in-addr.arpa" IN { >>type master; >>file "69.28.47.db"; >>}; >> >> >>zone "172.229.216.in-addr.arpa" IN { >>type master; >>file "216.229.172.db"; >>}; >> >>zone "birdshield.com" IN { >>type master; >>file "birdshield.com.db"; >>}; >> >>zone "priorityterabit.com" IN { >>type master; >>file "priorityterabit.com.db"; >>}; >> >>zone "arthurstephens.com" IN { >>type master; >>file "arthurstephens.com.db"; >>}; >> >>zone "cvafoundation.org" IN { >>type master; >>file "cvafoundation.org.db"; >>}; >> >>zone "guitarfranks.com" IN { >>type master; >>file "guitarfranks.com.db"; >>}; >> >>zone "lwccspokane.org" IN { >>type master; >>file "lwccspokane.org.db"; >>}; >> >>zone "impactspokane.com" IN { >>type master; >>file "impactspokane.com.db"; >>}; >> >>zone "lindarosephoto.com" IN { >>type master; >>file "lindarosephoto.com.db"; >>}; >> >>zone "tangleheart.com" IN { >>type master; >>file "tangleheart.com.db"; >>}; >> >>zone "ubergeekinc.com" IN { >>type master; >>file "ubergeekinc.com.db"; >>}; >> >>zone "aiin.com" IN { >>type master; >>file "aiin.com.db"; >>}; >> >> >>zone "spokanewines.com" IN { >>type master; >>file "spokanewines.com.db"; >>}; >> >>zone "skilltran.net" IN { >>type master; >>file "skilltran.net.hosts"; >>}; >> >> >>}; >> >>// Create a view for all clients perusing the CHAOS class. >>// We allow internal hosts to query our version number. >>// This is a good idea from a support point of view. >> >>view "external-chaos" chaos { >>match-clients { any; }; >>recursion no; >> >>zone "." { >>type hint; >>file "/dev/null"; >>}; >> >>zone "bind" { >>type master; >>file "db.bind"; >> >>allow-query { >>trusted; >>}; >>allow-transfer { >>none; >>}; >>}; >> >> >>}; >> >> >> >> >> > > > 
|
Linear Mode
