Secure Bind DNS server problem

Wed Apr 20 14:28:04 UTC 2005

0.0.0.0/8; <- maybe this is hosing up BIND?

Sam

"Arthur Stephens" <astephens at ptera.net> wrote in message 
news:d41kit$1pfg$1 at sf1.isc.org...
>I am trying to secure my DNS BIND version 9.2.5 servers so I found this
> template
>    Secure BIND Template Version 4.8 12 APR 2005
>    By Rob Thomas, robt at cymru.com
> After disabling these that complained at startup...
>
> //pid-file "/var/named/named.pid";
> //memstatistics-file "/var/named/named.memstats";
>
> I got the server up and running. And successfully tested from inside.
> But I noticed these in the logs right away.
>
> Apr 18 13:46:11 daffy named[24498]: client 71.4.246.96#32770: query
> 'ptera.net/IN' denied
> Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query
> 'mail.aiin.com/IN' denied
> Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query
> 'mail.aiin.com/IN' denied
> Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query
> 'dns2.ptera.net/IN' denied
> Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query
> 'dns2.ptera.net/IN' denied
> Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query
> 'dns.ptera.net/IN' denied
> Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query
> 'dns.ptera.net/IN' denied
> Apr 18 13:46:36 daffy named[24498]: client 67.19.0.13#53: query
> 'aiin.com/IN' denied
>
> This was not good. I then tried using tools at http://www.dnsstuff.com/
>
> It returned that the DNS server refused to resolve the names. This is
> bad because it means that people legitimately trying to get to
> mail.aiin.com etc. couldn't. Just in case here is the db file for aiin.com
>
> $ORIGIN .
> $TTL 86400    ; 1 day
> aiin.com        IN SOA    aiin.com. hostmaster.aain.com. (
>                2004111602 ; serial
>                10800      ; refresh (3 hours)
>                3600       ; retry (1 hour)
>                604800     ; expire (1 week)
>                86400      ; minimum (1 day)
>                )
>            IN NS    dns.ptera.net.
>            IN NS    dns2.ptera.net.
>            IN A    216.255.223.207
>            IN MX    10 mail.aiin.com.
> $ORIGIN aiin.com.
> mail            IN A    69.28.41.3
> www            IN A    216.255.223.207
>
> As you can see their web server is hosted outside of our network but
> their mail server is inside of our network. This worked before.
>
> Can anyone look at the named.conf file below and tell me where I missed?
>
> -- 
> Arthur Stephens
> Senior Sales Technician
> Ptera Wireless Internet
> astephens at ptera.net
> 509-927-Ptera
>
> // @(#)named.conf 02 OCT 2001 Rob Thomas robt at cymru.com
> // Set up our ACLs
> // In BIND 8, ACL names with quotes were treated as different from
> // the same name without quotes. In BIND 9, both are treated as
> // the same.
> acl "xfer" {
> 216.229.160.10;
> 216.229.168.10;
> 64.35.138.13;
> 64.35.144.4;
> 69.28.32.10;
> 69.28.32.11;
> 69.28.32.15;
> 69.28.32.17;
> 69.28.32.9;
> 69.28.32.6;
> // Allow no transfers. If we have other
> // name servers, place them here.
> // Note that in the Netherlands, for example,
> // the TLD servers 193.176.144.2, 194.53.253.100, and 193.176.144.128/28
> // are allowed to perform zone tranfers from the domains under .nl. The
> // RIPE NCC had requested in the past that reverse (in-addr.arpa) zones
> // permit zone transfer requests from 193.0.0.0/23.
> };
>
> acl "trusted" {
>
>
> // Place our internal and DMZ subnets in here so that
> // intranet and DMZ clients may send DNS queries. This
> // also prevents outside hosts from using our name server
> // as a resolver for other domains.
> 216.229.171.0/24;
> 69.28.32.0/20;
> localhost;
>
>
> };
>
> acl "bogon" {
> // Filter out the bogon networks. These are networks
> // listed by IANA as test, RFC1918, Multicast, experi-
> // mental, etc. If you see DNS queries or updates with
> // a source address within these networks, this is likely
> // of malicious origin. CAUTION: If you are using RFC1918
> // netblocks on your network, remove those netblocks from
> // this list of blackhole ACLs!
> 0.0.0.0/8;
> 1.0.0.0/8;
> 2.0.0.0/8;
> 5.0.0.0/8;
> 7.0.0.0/8;
> 10.0.0.0/8;
> 23.0.0.0/8;
> 27.0.0.0/8;
> 31.0.0.0/8;
> 36.0.0.0/8;
> 37.0.0.0/8;
> 39.0.0.0/8;
> 42.0.0.0/8;
> 49.0.0.0/8;
> 50.0.0.0/8;
> 74.0.0.0/8;
> 75.0.0.0/8;
> 76.0.0.0/8;
> 77.0.0.0/8;
> 78.0.0.0/8;
> 79.0.0.0/8;
> 89.0.0.0/8;
> 90.0.0.0/8;
> 91.0.0.0/8;
> 92.0.0.0/8;
> 93.0.0.0/8;
> 94.0.0.0/8;
> 95.0.0.0/8;
> 96.0.0.0/8;
> 97.0.0.0/8;
> 98.0.0.0/8;
> 99.0.0.0/8;
> 100.0.0.0/8;
> 101.0.0.0/8;
> 102.0.0.0/8;
> 103.0.0.0/8;
> 104.0.0.0/8;
> 105.0.0.0/8;
> 106.0.0.0/8;
> 107.0.0.0/8;
> 108.0.0.0/8;
> 109.0.0.0/8;
> 110.0.0.0/8;
> 111.0.0.0/8;
> 112.0.0.0/8;
> 113.0.0.0/8;
> 114.0.0.0/8;
> 115.0.0.0/8;
> 116.0.0.0/8;
> 117.0.0.0/8;
> 118.0.0.0/8;
> 119.0.0.0/8;
> 120.0.0.0/8;
> 121.0.0.0/8;
> 122.0.0.0/8;
> 123.0.0.0/8;
> 169.254.0.0/16;
> 172.16.0.0/12;
> 173.0.0.0/8;
> 174.0.0.0/8;
> 175.0.0.0/8;
> 176.0.0.0/8;
> 177.0.0.0/8;
> 178.0.0.0/8;
> 179.0.0.0/8;
> 180.0.0.0/8;
> 181.0.0.0/8;
> 182.0.0.0/8;
> 183.0.0.0/8;
> 184.0.0.0/8;
> 185.0.0.0/8;
> 186.0.0.0/8;
> 187.0.0.0/8;
> 189.0.0.0/8;
> 190.0.0.0/8;
> 192.0.2.0/24;
> 192.168.0.0/16;
> 197.0.0.0/8;
> 223.0.0.0/8;
> 224.0.0.0/3;
> };
>
>
> logging {
>
>
> channel "default_syslog" {
> // Send most of the named messages to syslog.
> syslog local2;
> severity debug;
> };
>
> channel audit_log {
> // Send the security related messages to a separate file.
> file "/var/named/bind/named.log";
> severity debug;
> print-time yes;
> };
>
> category default { default_syslog; };
> category general { default_syslog; };
> category security { audit_log; default_syslog; };
> category config { default_syslog; };
> category resolver { audit_log; };
> category xfer-in { audit_log; };
> category xfer-out { audit_log; };
> category notify { audit_log; };
> category client { audit_log; };
> category network { audit_log; };
> category update { audit_log; };
> category queries { audit_log; };
> category lame-servers { audit_log; };
>
>
> };
>
> // Set options for security
> options {
> directory "/var/named";
> //pid-file "/var/named/named.pid";
> statistics-file "/var/named/named.stats";
> //memstatistics-file "/var/named/named.memstats";
> dump-file "/var/adm/named.dump";
> zone-statistics yes;
>
> // Prevent DoS attacks by generating bogus zone transfer
> // requests. This will result in slower updates to the
> // slave servers (e.g. they will await the poll interval
> // before checking for updates).
> notify no;
>
> // Generate more efficient zone transfers. This will place
> // multiple DNS records in a DNS message, instead of one per
> // DNS message.
> transfer-format many-answers;
>
> // Set the maximum zone transfer time to something more
> // reasonable. In this case, we state that any zone transfer
> // that takes longer than 60 minutes is unlikely to ever
> // complete. WARNING: If you have very large zone files,
> // adjust this to fit your requirements.
> max-transfer-time-in 60;
>
> // We have no dynamic interfaces, so BIND shouldn't need to
> // poll for interface state {UP|DOWN}.
> interface-interval 0;
>
> allow-transfer {
> // Zone tranfers limited to members of the
> // "xfer" ACL.
> xfer;
> };
>
> allow-query {
> // Accept queries from our "trusted" ACL. We will
> // allow anyone to query our master zones below.
> // This prevents us from becoming a free DNS server
> // to the masses.
> trusted;
> };
>
> blackhole {
> // Deny anything from the bogon networks as
> // detailed in the "bogon" ACL.
> bogon;
> };
> };
>
>
> view "internal-in" in {
> // Our internal (trusted) view. We permit the internal networks
> // to freely access this view. We perform recursion for our
> // internal hosts, and retrieve data from the cache for them.
>
> match-clients { trusted; };
> recursion yes;
> additional-from-auth yes;
> additional-from-cache yes;
>
> zone "." IN {
> type hint;
> file "named.ca";
> };
>
> zone "localhost" IN {
> type master;
> file "localhost.zone";
> allow-update { none; };
> };
>
> zone "0.0.127.in-addr.arpa" in {
> // Allow queries for the 127/8 network, but not zone transfers.
> // Every name server, both slave and master, will be a master
> // for this zone.
> type master;
> file "named.local";
>
> allow-query {
> any;
> };
>
> allow-transfer {
> none;
> };
> };
>
> zone "tylite.com" IN {
> type master;
> file "tylite.com.db";
> };
>
> zone "ptera.net" IN {
> type master;
> file "ptera.net.db";
> };
>
> zone "32.28.69.in-addr.arpa" IN {
> type master;
> file "69.28.32.db";
> };
>
> zone "33.28.69.in-addr.arpa" IN {
> type master;
> file "69.28.33.db";
> };
> zone "34.28.69.in-addr.arpa" IN {
> type master;
> file "69.28.34.db";
> };
>
> zone "35.28.69.in-addr.arpa" IN {
> type master;
> file "69.28.35.db";
> };
>
> zone "36.28.69.in-addr.arpa" IN {
> type master;
> file "69.28.36.db";
> };
>
> zone "37.28.69.in-addr.arpa" IN {
> type master;
> file "69.28.37.db";
> };
>
> zone "38.28.69.in-addr.arpa" IN {
> type master;
> file "69.28.38.db";
> };
>
> zone "39.28.69.in-addr.arpa" IN {
> type master;
> file "69.28.39.db";
> };
>
> zone "40.28.69.in-addr.arpa" IN {
> type master;
> file "69.28.40.db";
> };
>
> zone "41.28.69.in-addr.arpa" IN {
> type master;
> file "69.28.41.db";
> };
>
> zone "42.28.69.in-addr.arpa" IN {
> type master;
> file "69.28.42.db";
> };
>
> zone "43.28.69.in-addr.arpa" IN {
> type master;
> file "69.28.43.db";
> };
>
> zone "44.28.69.in-addr.arpa" IN {
> type master;
> file "69.28.44.db";
> };
>
> zone "45.28.69.in-addr.arpa" IN {
> type master;
> file "69.28.45.db";
> };
>
> zone "46.28.69.in-addr.arpa" IN {
> type master;
> file "69.28.46.db";
> };
>
> zone "47.28.69.in-addr.arpa" IN {
> type master;
> file "69.28.47.db";
> };
>
>
> zone "172.229.216.in-addr.arpa" IN {
> type master;
> file "216.229.172.db";
> };
>
> zone "birdshield.com" IN {
> type master;
> file "birdshield.com.db";
> };
>
> zone "priorityterabit.com" IN {
> type master;
> file "priorityterabit.com.db";
> };
>
> zone "arthurstephens.com" IN {
> type master;
> file "arthurstephens.com.db";
> };
>
> zone "cvafoundation.org" IN {
> type master;
> file "cvafoundation.org.db";
> };
>
> zone "guitarfranks.com" IN {
> type master;
> file "guitarfranks.com.db";
> };
>
> zone "lwccspokane.org" IN {
> type master;
> file "lwccspokane.org.db";
> };
>
> zone "impactspokane.com" IN {
> type master;
> file "impactspokane.com.db";
> };
>
> zone "tangleheart.com" IN {
> type master;
> file "tangleheart.com.db";
> };
>
> zone "ubergeekinc.com" IN {
> type master;
> file "ubergeekinc.com.db";
> };
>
> zone "aiin.com" IN {
> type master;
> file "aiin.com.db";
> };
>
>
> zone "spokanewines.com" IN {
> type master;
> file "spokanewines.com.db";
> };
>
> zone "skilltran.net" IN {
> type master;
> file "skilltran.net.hosts";
> };
>
>
> };
>
> // Create a view for external DNS clients.
> view "external-in" in {
> // Our external (untrusted) view. We permit any client to access
> // portions of this view. We do not perform recursion or cache
> // access for hosts using this view.
>
> match-clients { any; };
> recursion no;
> additional-from-auth no;
> additional-from-cache no;
>
> // Link in our zones
> zone "." in {
> type hint;
> file "named.ca";
> };
>
> zone "tylite.com" IN {
> type master;
> file "tylite.com.db";
> };
>
> zone "ptera.net" IN {
> type master;
> file "ptera.net.db";
> };
>
> zone "32.28.69.in-addr.arpa" IN {
> type master;
> file "69.28.32.db";
> };
>
> zone "33.28.69.in-addr.arpa" IN {
> type master;
> file "69.28.33.db";
> };
> zone "34.28.69.in-addr.arpa" IN {
> type master;
> file "69.28.34.db";
> };
>
> zone "35.28.69.in-addr.arpa" IN {
> type master;
> file "69.28.35.db";
> };
>
> zone "36.28.69.in-addr.arpa" IN {
> type master;
> file "69.28.36.db";
> };
>
> zone "37.28.69.in-addr.arpa" IN {
> type master;
> file "69.28.37.db";
> };
>
> zone "38.28.69.in-addr.arpa" IN {
> type master;
> file "69.28.38.db";
> };
>
> zone "39.28.69.in-addr.arpa" IN {
> type master;
> file "69.28.39.db";
> };
>
> zone "40.28.69.in-addr.arpa" IN {
> type master;
> file "69.28.40.db";
> };
>
> zone "41.28.69.in-addr.arpa" IN {
> type master;
> file "69.28.41.db";
> };
>
> zone "42.28.69.in-addr.arpa" IN {
> type master;
> file "69.28.42.db";
> };
>
> zone "43.28.69.in-addr.arpa" IN {
> type master;
> file "69.28.43.db";
> };
>
> zone "44.28.69.in-addr.arpa" IN {
> type master;
> file "69.28.44.db";
> };
>
> zone "45.28.69.in-addr.arpa" IN {
> type master;
> file "69.28.45.db";
> };
>
> zone "46.28.69.in-addr.arpa" IN {
> type master;
> file "69.28.46.db";
> };
>
> zone "47.28.69.in-addr.arpa" IN {
> type master;
> file "69.28.47.db";
> };
>
>
> zone "172.229.216.in-addr.arpa" IN {
> type master;
> file "216.229.172.db";
> };
>
> zone "birdshield.com" IN {
> type master;
> file "birdshield.com.db";
> };
>
> zone "priorityterabit.com" IN {
> type master;
> file "priorityterabit.com.db";
> };
>
> zone "arthurstephens.com" IN {
> type master;
> file "arthurstephens.com.db";
> };
>
> zone "cvafoundation.org" IN {
> type master;
> file "cvafoundation.org.db";
> };
>
> zone "guitarfranks.com" IN {
> type master;
> file "guitarfranks.com.db";
> };
>
> zone "lwccspokane.org" IN {
> type master;
> file "lwccspokane.org.db";
> };
>
> zone "impactspokane.com" IN {
> type master;
> file "impactspokane.com.db";
> };
>
> zone "lindarosephoto.com" IN {
> type master;
> file "lindarosephoto.com.db";
> };
>
> zone "tangleheart.com" IN {
> type master;
> file "tangleheart.com.db";
> };
>
> zone "ubergeekinc.com" IN {
> type master;
> file "ubergeekinc.com.db";
> };
>
> zone "aiin.com" IN {
> type master;
> file "aiin.com.db";
> };
>
>
> zone "spokanewines.com" IN {
> type master;
> file "spokanewines.com.db";
> };
>
> zone "skilltran.net" IN {
> type master;
> file "skilltran.net.hosts";
> };
>
>
> };
>
> // Create a view for all clients perusing the CHAOS class.
> // We allow internal hosts to query our version number.
> // This is a good idea from a support point of view.
>
> view "external-chaos" chaos {
> match-clients { any; };
> recursion no;
>
> zone "." {
> type hint;
> file "/dev/null";
> };
>
> zone "bind" {
> type master;
> file "db.bind";
>
> allow-query {
> trusted;
> };
> allow-transfer {
> none;
> };
> };
>
>
> };
>
>
> 