• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Bind / named security

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> UNIX // GNU/Linux

View previous topic :: View next topic  
Author Message
chris
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777201
Location: ~/security-forums

Offline

PostPosted: Mon Jan 06, 2003 12:40 am    Post subject: Bind / named security Reply with quote

• Zone transfers should only be permitted by master name servers to update the zone
(domain) information in their slave servers. Failure to do so may result in IP numbers and
hostnames being revealed to unauthorized users. Restrict queries to only public domains.
Suitable for name servers with both public and private zones.


// Allow transfer only to our slave name server. Allow queries
// only by hosts in the 192.168.1.0 network.
zone “mydomain.com” {
type master;
file “master/db.mydomain.com”;
allow-transfer { 192.168.1.6; };
allow-query { 192.168.1.0/24; };
};

• Deny and log queries for our version number except from the local host. The ability to
determine the bind version enables an attacker to find the corresponding exploit for that
version.


// Disable the ability to determine the version of BIND running
zone “bind” chaos {
type master;
file “master/bind”;
allow-query { localhost; };
};


The ./master/bind file should then contain:

$TTL 1d
@ CHAOS SOA localhost. root.localhost. (
1 ; serial
3H ; refresh
15M ; retry
1W ; expire
1D ) ; minimum
NS localhost.

• Control which interfaces named listens on. Restricting the interfaces on which named
runs can limit the exposure to only the necessary networks.
listen-on { 192.168.1.1; };

• Use Access Control Lists to classify groups of hosts with differing degrees of trust. The
“internal” ACL label might be used to describe internal hosts that are permitted a greater
degree of access to the information than other hosts might be. Before it can be used it
must be defined:

acl “internal” {
{ 192.168.1.0/24; 192.168.2.11; };
};

It can then be used in “zone” statements or the main “options” statement:
zone “inside.mynet.com” {
type master;
file “master/inside.mynet.com”;
allow-query { “internal”; };
};

• Configure BIND to run as a normal user. Once BIND has been started, it has the ability
to relinquish its privileges, and run as a user with limited abilities instead of root.
# useradd -M -r -d /var/named -s /bin/false named
# groupadd -r named

This account should be used for nothing other than running the name server. Ensure the
zone files are readable by the named user. It is then necessary to modify the default
named init script, typically found in /etc/rc.d/init.d/named on Red Hat or
/etc/init.d/named on Debian:
/usr/sbin/named -u named -g named

It is also possible to run named in a “chroot jail” which helps to restrict the damage that
can be done should named be subverted.
Back to top
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> UNIX // GNU/Linux All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Looking for more Windows Networking info?

Sign up to the WindowsNetworking.com Monthly Newsletter, written by Enterprise Security MVP Deb Shinder, containing news, the hottest tips, Networking links of the month and much more. Subscribe today and don't miss a thing!
View a sample newsletter.

Become a WindowsNetworking.com member!

Discuss your Windows Networking issues with thousands of other Windows Newtorking experts. Click here to join!

Community Area

Log in | Register

Readers' Choice

Which is your preferred data recovery solution?

Follow TechGenix on Twitter