Secure Bind DNS server problem

Thu Apr 21 00:24:47 UTC 2005

 Tim Peiffer wrote: This is a simpler problem. None of the IP addresses in
the complaint is 'trusted'. Tim Peiffer acl "trusted" { // Place our
internaland DMZ subnets in here so that // intranet and DMZ clients may send
DNS queries. This // also prevents outside hosts from using our name server
// as a resolver for other domains. 216.229.171.0/24; 69.28.32.0/20;
localhost; }; allow-query { // Accept queries from our "trusted" ACL. We
will// allow anyone to query our master zones below. // This prevents us
frombecoming a free DNS server // to the masses. trusted; }; Sam wrote:
0.0.0.0/8; <- maybe this is hosing up BIND? Sam "Arthur Stephens"
<astephens at ptera.net>[1] wrote in message
news:d41kit$1pfg$1 at sf1.isc.org[2]... I am trying to secure my DNS BIND
version 9.2.5 servers so I found this template Secure BIND Template Version
4.8 12 APR 2005 By Rob Thomas, robt at cymru.com After disabling these that
complained at startup... //pid-file "/var/named/named.pid";
//memstatistics-file "/var/named/named.memstats"; I got the server up and
running. And successfully tested from inside. But I noticed these in the
logsright away. Apr 18 13:46:11 daffy named[24498]: client
71.4.246.96#32770:query 'ptera.net/IN' denied Apr 18 13:46:16 daffy
named[24498]: client 195.49.141.22#32819: query 'mail.aiin.com/IN' denied
Apr18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query
'mail.aiin.com/IN' denied Apr 18 13:46:16 daffy named[24498]: client
195.49.141.22#32819: query 'dns2.ptera.net/IN' denied Apr 18 13:46:16 daffy
named[24498]: client 195.49.141.22#32819: query 'dns2.ptera.net/IN' denied
Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query
'dns.ptera.net/IN' denied Apr 18 13:46:16 daffy named[24498]: client
195.49.141.22#32819: query 'dns.ptera.net/IN' denied Apr 18 13:46:36 daffy
named[24498]: client 67.19.0.13#53: query 'aiin.com/IN' denied This was not
good. I then tried using tools at http://www.dnsstuff.com/[3] It returned
that the DNS server refused to resolve the names. This is bad because it
means that people legitimately trying to get to mail.aiin.com etc. couldn't.
Just in case here is the db file for aiin.com $ORIGIN . $TTL 86400 ; 1 day
aiin.com IN SOA aiin.com. hostmaster.aain.com. ( 2004111602 ; serial 10800 ;
refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 86400 ;
minimum (1 day) ) IN NS dns.ptera.net. IN NS dns2.ptera.net. IN A
216.255.223.207 IN MX 10 mail.aiin.com. $ORIGIN aiin.com. mail IN A
69.28.41.3 www IN A 216.255.223.207 As you can see their web server is
hostedoutside of our network but their mail server is inside of our network.
This worked before. Can anyone look at the named.conf file below and tell me
where I missed? -- Arthur Stephens Senior Sales Technician Ptera Wireless
Internet astephens at ptera.net[4] 509-927-Ptera // @(#)named.conf 02 OCT 2001
Rob Thomas robt at cymru.com[5] // Set up our ACLs // In BIND 8, ACL names with
quotes were treated as different from // the same name without quotes. In
BIND 9, both are treated as // the same. acl "xfer" { 216.229.160.10;
216.229.168.10; 64.35.138.13; 64.35.144.4; 69.28.32.10; 69.28.32.11;
69.28.32.15; 69.28.32.17; 69.28.32.9; 69.28.32.6; // Allow no transfers. If
we have other // name servers, place them here. // Note that in the
Netherlands, for example, // the TLD servers 193.176.144.2, 194.53.253.100,
and 193.176.144.128/28 // are allowed to perform zone tranfers from the
domains under .nl. The // RIPE NCC had requested in the past that reverse
(in-addr.arpa) zones // permit zone transfer requests from 193.0.0.0/23. };
acl "trusted" { // Place our internal and DMZ subnets in here so that //
intranet and DMZ clients may send DNS queries. This // also prevents outside
hosts from using our name server // as a resolver for other domains.
216.229.171.0/24; 69.28.32.0/20; localhost; }; acl "bogon" { // Filter out
the bogon networks. These are networks // listed by IANA as test, RFC1918,
Multicast, experi- // mental, etc. If you see DNS queries or updates with //
a source address within these networks, this is likely // of malicious
origin. CAUTION: If you are using RFC1918 // netblocks on your network,
remove those netblocks from // this list of blackhole ACLs! 0.0.0.0/8;
1.0.0.0/8; 2.0.0.0/8; 5.0.0.0/8; 7.0.0.0/8; 10.0.0.0/8; 23.0.0.0/8;
27.0.0.0/8; 31.0.0.0/8; 36.0.0.0/8; 37.0.0.0/8; 39.0.0.0/8; 42.0.0.0/8;
49.0.0.0/8; 50.0.0.0/8; 74.0.0.0/8; 75.0.0.0/8; 76.0.0.0/8; 77.0.0.0/8;
78.0.0.0/8; 79.0.0.0/8; 89.0.0.0/8; 90.0.0.0/8; 91.0.0.0/8; 92.0.0.0/8;
93.0.0.0/8; 94.0.0.0/8; 95.0.0.0/8; 96.0.0.0/8; 97.0.0.0/8; 98.0.0.0/8;
99.0.0.0/8; 100.0.0.0/8; 101.0.0.0/8; 102.0.0.0/8; 103.0.0.0/8; 104.0.0.0/8;
105.0.0.0/8; 106.0.0.0/8; 107.0.0.0/8; 108.0.0.0/8; 109.0.0.0/8;
110.0.0.0/8;111.0.0.0/8; 112.0.0.0/8; 113.0.0.0/8; 114.0.0.0/8; 115.0.0.0/8;
116.0.0.0/8; 117.0.0.0/8; 118.0.0.0/8; 119.0.0.0/8; 120.0.0.0/8;
121.0.0.0/8;122.0.0.0/8; 123.0.0.0/8; 169.254.0.0/16; 172.16.0.0/12;
173.0.0.0/8; 174.0.0.0/8; 175.0.0.0/8; 176.0.0.0/8; 177.0.0.0/8;
178.0.0.0/8;179.0.0.0/8; 180.0.0.0/8; 181.0.0.0/8; 182.0.0.0/8; 183.0.0.0/8;
184.0.0.0/8; 185.0.0.0/8; 186.0.0.0/8; 187.0.0.0/8; 189.0.0.0/8;
190.0.0.0/8;192.0.2.0/24; 192.168.0.0/16; 197.0.0.0/8; 223.0.0.0/8;
224.0.0.0/3; }; logging { channel "default_syslog" { // Send most of the
named messages to syslog. syslog local2; severity debug; }; channel
audit_log{ // Send the security related messages to a separate file. file
"/var/named/bind/named.log"; severity debug; print-time yes; }; category
default { default_syslog; }; category general { default_syslog; }; category
security { audit_log; default_syslog; }; category config { default_syslog;
};category resolver { audit_log; }; category xfer-in { audit_log; };
categoryxfer-out { audit_log; }; category notify { audit_log; }; category
client { audit_log; }; category network { audit_log; }; category update {
audit_log; }; category queries { audit_log; }; category lame-servers {
audit_log; }; }; // Set options for security options { directory
"/var/named"; //pid-file "/var/named/named.pid"; statistics-file
"/var/named/named.stats"; //memstatistics-file "/var/named/named.memstats";
dump-file "/var/adm/named.dump"; zone-statistics yes; // Prevent DoS attacks
by generating bogus zone transfer // requests. This will result in slower
updates to the // slave servers (e.g. they will await the poll interval //
before checking for updates). notify no; // Generate more efficient zone
transfers. This will place // multiple DNS records in a DNS message, instead
of one per // DNS message. transfer-format many-answers; // Set the maximum
zone transfer time to something more // reasonable. In this case, we state
that any zone transfer // that takes longer than 60 minutes is unlikely to
ever // complete. WARNING: If you have very large zone files, // adjust this
to fit your requirements. max-transfer-time-in 60; // We have no dynamic
interfaces, so BIND shouldn't need to // poll for interface state {UP|DOWN}.
interface-interval 0; allow-transfer { // Zone tranfers limited to members
ofthe // "xfer" ACL. xfer; }; allow-query { // Accept queries from our
"trusted" ACL. We will // allow anyone to query our master zones below. //
This prevents us from becoming a free DNS server // to the masses. trusted;
}; blackhole { // Deny anything from the bogon networks as // detailed in
the"bogon" ACL. bogon; }; }; view "internal-in" in { // Our internal
(trusted) view. We permit the internal networks // to freely access this
view. We perform recursion for our // internal hosts, and retrieve data from
the cache for them. match-clients { trusted; }; recursion yes;
additional-from-auth yes; additional-from-cache yes; zone "." IN { type
hint;file "named.ca"; }; zone "localhost" IN { type master; file
"localhost.zone"; allow-update { none; }; }; zone "0.0.127.in-addr.arpa" in
{// Allow queries for the 127/8 network, but not zone transfers. // Every
name server, both slave and master, will be a master // for this zone. type
master; file "named.local"; allow-query { any; }; allow-transfer { none; };
}; zone "tylite.com" IN { type master; file "tylite.com.db"; }; zone
"ptera.net" IN { type master; file "ptera.net.db"; }; zone
"32.28.69.in-addr.arpa" IN { type master; file "69.28.32.db"; }; zone
"33.28.69.in-addr.arpa" IN { type master; file "69.28.33.db"; }; zone
"34.28.69.in-addr.arpa" IN { type master; file "69.28.34.db"; }; zone
"35.28.69.in-addr.arpa" IN { type master; file "69.28.35.db"; }; zone
"36.28.69.in-addr.arpa" IN { type master; file "69.28.36.db"; }; zone
"37.28.69.in-addr.arpa" IN { type master; file "69.28.37.db"; }; zone
"38.28.69.in-addr.arpa" IN { type master; file "69.28.38.db"; }; zone
"39.28.69.in-addr.arpa" IN { type master; file "69.28.39.db"; }; zone
"40.28.69.in-addr.arpa" IN { type master; file "69.28.40.db"; }; zone
"41.28.69.in-addr.arpa" IN { type master; file "69.28.41.db"; }; zone
"42.28.69.in-addr.arpa" IN { type master; file "69.28.42.db"; }; zone
"43.28.69.in-addr.arpa" IN { type master; file "69.28.43.db"; }; zone
"44.28.69.in-addr.arpa" IN { type master; file "69.28.44.db"; }; zone
"45.28.69.in-addr.arpa" IN { type master; file "69.28.45.db"; }; zone
"46.28.69.in-addr.arpa" IN { type master; file "69.28.46.db"; }; zone
"47.28.69.in-addr.arpa" IN { type master; file "69.28.47.db"; }; zone
"172.229.216.in-addr.arpa" IN { type master; file "216.229.172.db"; }; zone
"birdshield.com" IN { type master; file "birdshield.com.db"; }; zone
"priorityterabit.com" IN { type master; file "priorityterabit.com.db"; };
zone "arthurstephens.com" IN { type master; file "arthurstephens.com.db"; };
zone "cvafoundation.org" IN { type master; file "cvafoundation.org.db"; };
zone "guitarfranks.com" IN { type master; file "guitarfranks.com.db"; };
zone"lwccspokane.org" IN { type master; file "lwccspokane.org.db"; }; zone
"impactspokane.com" IN { type master; file "impactspokane.com.db"; }; zone
"tangleheart.com" IN { type master; file "tangleheart.com.db"; }; zone
"ubergeekinc.com" IN { type master; file "ubergeekinc.com.db"; }; zone
"aiin.com" IN { type master; file "aiin.com.db"; }; zone "spokanewines.com"
IN { type master; file "spokanewines.com.db"; }; zone "skilltran.net" IN {
type master; file "skilltran.net.hosts"; }; }; // Create a view for external
DNS clients. view "external-in" in { // Our external (untrusted) view. We
permit any client to access // portions of this view. We do not perform
recursion or cache // access for hosts using this view. match-clients { any;
}; recursion no; additional-from-auth no; additional-from-cache no; // Link
in our zones zone "." in { type hint; file "named.ca"; }; zone "tylite.com"
IN { type master; file "tylite.com.db"; }; zone "ptera.net" IN { type
master;file "ptera.net.db"; }; zone "32.28.69.in-addr.arpa" IN { type
master;file "69.28.32.db"; }; zone "33.28.69.in-addr.arpa" IN { type master;
file "69.28.33.db"; }; zone "34.28.69.in-addr.arpa" IN { type master; file
"69.28.34.db"; }; zone "35.28.69.in-addr.arpa" IN { type master; file
"69.28.35.db"; }; zone "36.28.69.in-addr.arpa" IN { type master; file
"69.28.36.db"; }; zone "37.28.69.in-addr.arpa" IN { type master; file
"69.28.37.db"; }; zone "38.28.69.in-addr.arpa" IN { type master; file
"69.28.38.db"; }; zone "39.28.69.in-addr.arpa" IN { type master; file
"69.28.39.db"; }; zone "40.28.69.in-addr.arpa" IN { type master; file
"69.28.40.db"; }; zone "41.28.69.in-addr.arpa" IN { type master; file
"69.28.41.db"; }; zone "42.28.69.in-addr.arpa" IN { type master; file
"69.28.42.db"; }; zone "43.28.69.in-addr.arpa" IN { type master; file
"69.28.43.db"; }; zone "44.28.69.in-addr.arpa" IN { type master; file
"69.28.44.db"; }; zone "45.28.69.in-addr.arpa" IN { type master; file
"69.28.45.db"; }; zone "46.28.69.in-addr.arpa" IN { type master; file
"69.28.46.db"; }; zone "47.28.69.in-addr.arpa" IN { type master; file
"69.28.47.db"; }; zone "172.229.216.in-addr.arpa" IN { type master; file
"216.229.172.db"; }; zone "birdshield.com" IN { type master; file
"birdshield.com.db"; }; zone "priorityterabit.com" IN { type master; file
"priorityterabit.com.db"; }; zone "arthurstephens.com" IN { type master;
file"arthurstephens.com.db"; }; zone "cvafoundation.org" IN { type master;
file "cvafoundation.org.db"; }; zone "guitarfranks.com" IN { type master;
file "guitarfranks.com.db"; }; zone "lwccspokane.org" IN { type master; file
"lwccspokane.org.db"; }; zone "impactspokane.com" IN { type master; file
"impactspokane.com.db"; }; zone "lindarosephoto.com" IN { type master; file
"lindarosephoto.com.db"; }; zone "tangleheart.com" IN { type master; file
"tangleheart.com.db"; }; zone "ubergeekinc.com" IN { type master; file
"ubergeekinc.com.db"; }; zone "aiin.com" IN { type master; file
"aiin.com.db"; }; zone "spokanewines.com" IN { type master; file
"spokanewines.com.db"; }; zone "skilltran.net" IN { type master; file
"skilltran.net.hosts"; }; }; // Create a view for all clients perusing the
CHAOS class. // We allow internal hosts to query our version number. // This
is a good idea from a support point of view. view "external-chaos" chaos {
match-clients { any; }; recursion no; zone "." { type hint; file
"/dev/null";}; zone "bind" { type master; file "db.bind"; allow-query {
trusted; }; allow-transfer { none; }; }; }; allow-query {
// Accept queries from our "trusted" ACL. We will // allow anyone to query
our master zones below. // This prevents us from becoming a free DNS server
// to the masses. trusted; }; The above will only let your subnets make
queries to the zones you host. Try the following: allow-query { any; }; ->
this way anyone can get the info they need (mx, a , www, etc...)
allow-transfer { xfer; }; xfer - >would be an acl for your subnets only to
pull the complete zone files (notifies for slaves, axfr, etc.) I try to keep
my ACL's and options really simple but secure. Hope this helps joe 
--- Links ---
   1 mailto:astephens at ptera.net
   2 news:d41kit$1pfg$1 at sf1.isc.org
   3 http://www.dnsstuff.com/
   4 mailto:astephens at ptera.net
   5 mailto:robt at cymru.com