DNS and BIND, Fourth Edition, by Paul Albitz, Cricket Liu, April 16, 2001 DNS and BIND, Fourth Edition, by Paul Albitz, Cricket Liu, April 16, 2001














Secure Bind 9 Example

Bind 9.2.1. example

Since I went on the internet i have always run my own set of DNS name servers. Handing over the DNS nameservice of your own domain to a 3rd party, like e.g. some ISP, is the same as handing out your passport at the Hotel desk when on holiday. However holidays don't last for ever, and likewise running your DNS service outdoors with a 3rd party you not really know should not last longer as your holiday season.
Fred N. van Kempen went even as far to claim that he will not accept a Internet DSL offering if he is not able to run his own reverse DNS on the set of ip-numbers which come with that DSL offering.

And how right on the money he is, as today the MOSSAD and related secret services have started to harass certain domain names by subdueing its DNS nameservice. 


From stock@stokkie.net Fri Nov 22 07:17:41 2002 +0100
Date: Fri, 22 Nov 2002 07:17:41 +0100 (CET)
From: "Robert M. Stockmann" 
To: jon@lasser.org
Subject: simple bind 9.2.1 example
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: RO
X-Status: 
X-Keywords:                 

Hi,

I just read your article 

"Caught in a BIND"
http://theregister.co.uk/content/55/28235.html

Where you state the following :

  "If you're saddled with an old version, take heart. With the latest 
   security holes, the programs are vulnerable only when acting as 
   recursive name servers. In brief, this means that the holes only 
   affect servers that can look up any address on the Internet. Your 
   name servers should not respond to such requests from external 
   addresses anyway: to do so opens the door to DNS cache poisoning 
   attacks. Your name servers should respond only to authoritative 
   requests from outside your network, and allow recursion only within 
   the network. 

   Sadly, most BIND configurations will allow recursion from any 
   address -- that's the default configuration of BIND, another 
   situation that the Internet Software Consortium should resolve. 

   When the Internet was designed, nobody imagined swarms of thousands 
   of six-foot-tall jet-black stealth woodpeckers. Today they're here, 
   and it's time our architects took the woodpeckers into account."

Well allthough i agree with you, here's a example where DNS admins with
basic skills could easily generate and figure out how to make their
setups secure :

http://crashrecovery.org/named/

Your conclusion which states transitioning to bind 9 is painfull is IMHO
not true, but merely a matter of having accessable documentation with 
usefull examples.

cheers,

Robert
-- 
Robert M. Stockmann - RHCE
Network Engineer - UNIX Consultant
crashrecovery.org  stock@stokkie.net


From jon@leapfrog.baltimorons.org Fri Nov 22 15:40:19 2002
Return-Path: 
Delivered-To: stock@stokkie.net
Received: (qmail 4671 invoked from network); 22 Nov 2002 15:40:16 -0000
Received: from leapfrog.baltimorons.org (?fc5qMAgN9hsoYb//m/bihz5waTgrnFjw?@216.181.177.189)
  by stock.xs4all.nl with SMTP; 22 Nov 2002 15:40:16 -0000
Received: (from jon@localhost)
	by leapfrog.baltimorons.org (8.11.6/8.11.6) id gAMFfnN24404
	for stock@stokkie.net; Fri, 22 Nov 2002 10:41:49 -0500
Date: Fri, 22 Nov 2002 10:41:49 -0500
From: "J. Lasser" 
To: "Robert M. Stockmann" 
Subject: Re: simple bind 9.2.1 example
Message-ID: <20021122154148.GA24401@leapfrog.baltimorons.org>
References: 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: 
User-Agent: Mutt/1.3.99i
X-AntiVirus: scanned for viruses by AMaViS 0.2.2 (http://amavis.org/)
Status: RO
X-Status: 
X-Keywords:                 

In the wise words of Robert M. Stockmann:

> Your conclusion which states transitioning to bind 9 is painfull is IMHO
> not true, but merely a matter of having accessable documentation with 
> usefull examples.

It's painful for ISPs, like the one I worked at with 10,000 zone
records. Each of which was broken.

It's also painful if you have only ten or twenty zone records with
various errors and not a lot of time.

Thanks for your note --- it's always good to hear from readers!
Jon
-- 
Jon Lasser	
Home: jon@lasser.org		|    Work:jon@cluestickconsulting.com
http://www.tux.org/~lasser/     |    http://www.cluestickconsulting.com
   Buy my book, _Think_Unix_! http://www.tux.org/~lasser/think-unix/

[1] DNS and BIND, Fourth Edition
by Paul Albitz (Author), Cricket Liu
Paperback: 622 pages
Publisher: O'Reilly Media, Inc.; 4 edition (April 16, 2001)
Language: English
ISBN-10: 0596001584
ISBN-13: 978-0596001582
http://www.amazon.com/gp/product/0596001584/104-4523770-2822321