nixCraft Linux Forum

nixCraft

Linux / UNIX Tech Support Forum

Is my DNS server Safe?

This is a discussion on Is my DNS server Safe? within the Domain Name Server forums, part of the Mastering Servers category; Hello All, I am a new member to Nixcraft.... However I am "no new B" to linux and UNIX. Today ...

Go Back   nixCraft Linux Forum > Mastering Servers > Domain Name Server

Is my DNS server Safe? Is my DNS server Safe?

Linux answers from nixCraft.

Register FAQ Members List Social Groups Calendar Forgotten your password? Mark Forums Read

Domain Name Server Discussion on domain name server including BIND and other servers.

Reply

 

LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 18-04-2009, 05:07 AM
jaysunn's Avatar
Powered By Linux
User
  
Join Date: Apr 2009
Location: 41.332032,-73.089775
OS: RHEL - OSX
Scripting language: BASH - Learning Ruby
Posts: 602
Thanks: 61
Thanked 78 Times in 70 Posts
Rep Power: 10
jaysunn is a splendid one to behold jaysunn is a splendid one to behold jaysunn is a splendid one to behold jaysunn is a splendid one to behold jaysunn is a splendid one to behold jaysunn is a splendid one to behold jaysunn is a splendid one to behold jaysunn is a splendid one to behold
Default Is my DNS server Safe?
Hello All,

I am a new member to Nixcraft....

However I am "no new B" to linux and UNIX. Today my company lost our main DNS server due to hardware issues. The server is a RHEL 4 server running BIND....

The question that I have is? I installed and configured a replacement of this system with RHEL5 and BIND version - bind-9.2.4-28 today.

The server is querying great. And logs are happy.

The Question I have is?


I have heard so much gossip in relation to cache poisoning..... I am nervous that our system is not up to par in regards to a attack.

From a unix/linux expert opinion, what is the best steps to make sure we are safe?

I was told from our CTO that due to the fact we are running that version of bind we are safe.

I am not convinced. Now keep in mind, this system is located at LEVEL3 NYC behind a Tipping Point IPS and a Juniper ISG -1000.

But am I really safe to cache poisoning? Is my server safe?



Please have fun with this!! I would love all your opinions!!!

Jaysunn
Reply With Quote
  #2 (permalink)  
Old 18-04-2009, 10:53 AM
nixcraft's Avatar
Never say die
User
  
Join Date: Jan 2005
Location: BIOS
OS: RHEL
Scripting language: Bash and Python
Posts: 2,710
Thanks: 11
Thanked 244 Times in 183 Posts
Rep Power: 10
nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute
Default
Run the following command to see if dns server open to such attack or not:
Code:
dig +short @YOUR-NS1-SERVER-IP porttest.dns-oarc.net txt
Make sure following two line does NOT exists in your named.conf:
Code:
query-source    port 53;
query-source-v6 port 53;
See Find Out If My DNS Server Free From DNS Cache Poisoning Bug Or Not

A few tips to secure named:
  1. Hide bind version (see How To Hide BIND DNS Sever Version)
  2. Run named in chrooted jail
  3. Run updated version (yum update)
  4. Configure TSIG to avoid caching while makeing zone trasfer between your own nameservers (see Restricting zone transfers with IP addresses in BIND DNS Server)
  5. Turn on security logs
  6. Turn on dns queries
  7. Configure firewall to protect named
  8. Run separate dns servers for extermal and internal queries with the help of zones
  9. Disable dynamic updates
__________________
Vivek Gite
Linux Evangelist
Be proud RHEL user, and let the world know about your enterprise choices! Join RedHat user group.
Always use CODE tags for posting system output and commands!
Do you run a Linux? Let's face it, you need help
Reply With Quote
  #3 (permalink)  
Old 18-04-2009, 08:32 PM
jaysunn's Avatar
Powered By Linux
User
  
Join Date: Apr 2009
Location: 41.332032,-73.089775
OS: RHEL - OSX
Scripting language: BASH - Learning Ruby
Posts: 602
Thanks: 61
Thanked 78 Times in 70 Posts
Rep Power: 10
jaysunn is a splendid one to behold jaysunn is a splendid one to behold jaysunn is a splendid one to behold jaysunn is a splendid one to behold jaysunn is a splendid one to behold jaysunn is a splendid one to behold jaysunn is a splendid one to behold jaysunn is a splendid one to behold
Default
shine:~ jasonralph$ dig +short @xxx.xxx.xxx.xxx porttest.dns-oarc.net txt
porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e .d.c.b.a.pt.dns-oarc.net.
"xxx.xxx.xxx.xxx is GREAT: 26 queries in 1.9 seconds from 26 ports with std dev 17681"
shine:~ jasonralph$



Also I have confirmed that both those lines did not exist in my nmaed.conf.

Thanks,
I am still working on the rest of your advise.

Jaysunn
Reply With Quote
Reply

Tags
bind , bind chroot , bind security , bind9 , linux , named , rhel bind

« DNS caching setting | Migration from Linux BIND to Windows DNS »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

 
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


All times are GMT +5.5. The time now is 05:30 PM.

Contact Us - nixCraft Home - Archive - Privacy Statement - Terms of Service - Top

Powered by vBulletin® Version 3.8.5 - Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.3.2
©2005-2010 nixCraft. All rights reserved

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38