bind 9 goes rogue and revert zone information

Alberto Colosi alcol at hotmail.com
Tue Feb 7 14:42:28 UTC 2017


IP ports not open does not mean is not hacked.

a vulnerability can be used to make a change or an access


try to change and audit file access and permission firewall log analisys can give a plus to find a solution (check all IP traffic out from TCP/UDP 53)


If you have RNDC , change KEY or disable it



________________________________
From: Raul Dias <raul at dias.com.br>
Sent: Tuesday, February 7, 2017 3:34 PM
To: Alberto Colosi; bind-users at lists.isc.org
Subject: Re: bind 9 goes rogue and revert zone information


Sorry,
Static files.
It is the master server.
No dynamic updates.
Host under lxc with only bind ports open.

On Tue, Feb 7, 2017, 12:27 Alberto Colosi <alcol at hotmail.com<mailto:alcol at hotmail.com>> wrote:

hi is unclear named structure if is a slave a master if dynamic updates are enabled and if the unix box has been hacked

as last , zones are static files on fs ?


________________________________
From: bind-users <bind-users-bounces at lists.isc.org<mailto:bind-users-bounces at lists.isc.org>> on behalf of Raul Dias <raul at dias.com.br<mailto:raul at dias.com.br>>
Sent: Tuesday, February 7, 2017 3:03 PM
To: bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
Subject: bind 9 goes rogue and revert zone information

Hello,

I have a very strange behavior that I am failing to understand.

2 to 5 times a week, a named server revert back to a previous version os
a master zone.
This happens during the night, usually around 20h EST.

This zone has a serial of 3017020401 (yes, I typo the 3 somewhere in the
past).
When it reverts its zone information, it goes back to 3016060101.

I have updated, restarted the host, clean all cache and journal files,
grep all files in the host for 3016060101 (just shows up in the logs).

So, I have no clue why, or how it is happening. Where does it get the
old information.

I thought first about the serial, but it would have happened in the past
too, right?  As it should be a 32bit unsigned integer, it shouldn't be a
problem, IMHO.

Yet, when "dig domain -t SOA @server", it is there again.

The host is a debian Jessie and bind is 9.9.5, 1:9.9.5.dfsg-9+deb8u8
more specifically.


Thanks for any direction.
-rsd
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users Info Page - Internet Systems Consortium<https://lists.isc.org/mailman/listinfo/bind-users>
lists.isc.org<http://lists.isc.org>
To see the collection of prior postings to the list, visit the bind-users Archives. Using bind-users: To post a message to all the list members, send ...



bind-users mailing list
bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users
bind-users Info Page - Internet Systems Consortium<https://lists.isc.org/mailman/listinfo/bind-users>
lists.isc.org<http://lists.isc.org>
To see the collection of prior postings to the list, visit the bind-users Archives. Using bind-users: To post a message to all the list members, send ...


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20170207/52d5bef0/attachment.html>


More information about the bind-users mailing list