Re: Possible cache poisoning
On 2010-10-26 00:39, The Doctor wrote: > My question is how can you detect if a DSN / Domain name > has been 'poisoned'? By using DNSSEC ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Possible cache poisoning
Zitat von The Doctor : My question is how can you detect if a DSN / Domain name has been 'poisoned'? Compare what your cache deliver with results from other sites. To prevent cache poison you might use DNSSEC if the zones which are affected support it and at least use a recent Resolver with ID/port randomization. Regards Andreas ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind9.7.1 Reload Fails with Permission Denied. solved
On 21.10.10 15:51, Martin McCormick wrote: > The problem was that named.conf.keys was owned by root > instead of bind. I have an #include statement in named.conf to > read in the file so there is where the permission problem was > and the log tells you quite nicely what line number in > named.conf is causing the problem. if your names runs under 'bind' userid, it apparently should not own its config files, only those it writes to. It's quite good practice when daemon can't write to its config files. You apparently need only change permissions so bind could READ the file, which usually means group bind and group-read privileges. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The early bird may get the worm, but the second mouse gets the cheese. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Possible cache poisoning
On 25.10.10 16:39, The Doctor wrote: > My question is how can you detect if a DSN / Domain name > has been 'poisoned'? quitye hard if it's already been done. You can see what it contains and compare it with what is should contain, but you never know if the incorrect data didn't come from misconfigured server. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I drive way too fast to worry about cholesterol. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind9.7.1 Skipping lots of Zone Transfers
Ah, the wonderful world of high stakes no-return upgrades! I turned on a new installation of bind9.7.1 after running it in slave mode for a few days and: 26-Oct-2010 07:30:46.497 zone 78.139.IN-ADDR.ARPA/IN: refresh: skipping zone transfer as master 139.78.100.1#53 (source 0.0.0.0#0) is unreachable (cached) These messages are flying in fast and furious at a rate of about 1500 in 4 hours and the master is otherwise answering queries and seems to be well. Nothing like going from test mode to production to find out the truth. The slave from which I got these errors is also a brand new installation of bind9.7.1 and is on the same switch as the master. If the problem is with the slave configuration, I am not as concerned as if it is the master so I am trying to figure this out sooner rather than later as it looks like something that might effect our site lookups. Any ideas are appreciated. Most of the error messages in bind9.7.1 are fairly self-explanitory but this one has me scratching my head. Martin McCormick WB5AGZ Stillwater, OK Systems Engineer OSU Information Technology Department Telecommunications Services Group ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind9.7.1 Skipping lots of Zone Transfers
On 10/26/2010 8:45 AM, Martin McCormick wrote: > 26-Oct-2010 07:30:46.497 zone 78.139.IN-ADDR.ARPA/IN: refresh: > skipping zone transfer as master 139.78.100.1#53 (source 0.0.0.0#0) is > unreachable (cached) Are you able to "dig @139.78.100.1 78.139.IN-ADDR.ARPA axfr" when logged into the slave? It seems that communications between the slave (which we don't know the IP address of) and the server at 139.78.100.1 is broken. AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind9.7.1 Skipping lots of Zone Transfers
Alan Clegg writes: > Are you able to "dig @139.78.100.1 78.139.IN-ADDR.ARPA axfr" when logged > into the slave? No and your diagnosis was spot on. > It seems that communications between the slave (which we don't know the > IP address of) and the server at 139.78.100.1 is broken. Oh, yes! it was definitely broken. The slave is on the same subnet as the master so any firewalls had to be on one or the other and it turned out some firewall rules I had been using for probably 6 to 8 years or so do not work with tcp transfers. individual lookups worked because they are mostly udp. To be truthful, the firewall was low on the trouble-shooting list because it had worked for so long. Thanks very much. Martin McCormick ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Possible cache poisoning
If we talk about checking after suspected poisoning, my best idea is: dump the cache, then flush the cache and do the lookups again and compare to the cache-dump. Any difference is suspicious and should be looked closer upon. The cure is BTW also to flush the cache of the fake info. Remember that it is only the resolving server, that gets poisoned, the authoritative server does not ask questions and can not be poisoned with false replies. Remember to use best practises to avoid poisoning anyway. On 26/10/10 10:19, Matus UHLAR - fantomas wrote: > On 25.10.10 16:39, The Doctor wrote: >> My question is how can you detect if a DSN / Domain name >> has been 'poisoned'? > quitye hard if it's already been done. You can see what it contains and > compare it with what is should contain, but you never know if the incorrect > data didn't come from misconfigured server. > -- Best regards Sten Carlsen No improvements come from shouting: "MALE BOVINE MANURE!!!" ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
limiting number of recursion/queries per IP address
Dear List, Is is possible to limit the number of recursion/queries per IP address. there is some kind of virus thats bombarding my dns servers with a lot of queries, i realize that when ever the total number of recursion clients reach 1000 dns resolution stop working. i have increase the recursive-clients to 1 but still these those not help. and also i have increase the number of max open files on my OS which at one point was complaining about too many open files. can someone please direct me to how best to solve this problem its some kind of DDOS. Thanks Kebba ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: limiting number of recursion/queries per IP address
What version of bind, on what OS? There may be some things you can do with iptables to limit connections http://www.debian-administration.org/articles/187 I don't recall seeing anything native to BIND that would allow for limits per src. t. -Original Message- From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of Kebba Foon Sent: Tuesday, October 26, 2010 2:27 PM To: bind-users@lists.isc.org Subject: limiting number of recursion/queries per IP address Dear List, Is is possible to limit the number of recursion/queries per IP address. there is some kind of virus thats bombarding my dns servers with a lot of queries, i realize that when ever the total number of recursion clients reach 1000 dns resolution stop working. i have increase the recursive-clients to 1 but still these those not help. and also i have increase the number of max open files on my OS which at one point was complaining about too many open files. can someone please direct me to how best to solve this problem its some kind of DDOS. Thanks Kebba ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: limiting number of recursion/queries per IP address
On Tue, 2010-10-26 at 15:22 -0400, Todd Snyder wrote: > What version of bind, on what OS? > I use Debian 5.0 with bind 9.6-ESV-R1 but also i thought that the OS might have some security holes so i try FreeBSD 8.1 with BIND 9.7.1 but still have ihave the same problems. > here may be some things you can do with iptables to limit connections > > http://www.debian-administration.org/articles/187 > i will just look into these but it done thing iptables will be the ideal solution. > I don't recall seeing anything native to BIND that would allow for limits per > src. > > t. > > -Original Message- > From: bind-users-bounces+tsnyder=rim@lists.isc.org > [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of Kebba > Foon > Sent: Tuesday, October 26, 2010 2:27 PM > To: bind-users@lists.isc.org > Subject: limiting number of recursion/queries per IP address > > Dear List, > > Is is possible to limit the number of recursion/queries per IP address. > there is some kind of virus thats bombarding my dns servers with a lot > of queries, i realize that when ever the total number of recursion > clients reach 1000 dns resolution stop working. i have increase the > recursive-clients to 1 but still these those not help. and also i > have increase the number of max open files on my OS which at one point > was complaining about too many open files. can someone please direct me > to how best to solve this problem its some kind of DDOS. > > Thanks > Kebba > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > - > This transmission (including any attachments) may contain confidential > information, privileged material (including material protected by the > solicitor-client or other applicable privileges), or constitute non-public > information. Any use of this information by anyone other than the intended > recipient is prohibited. If you have received this transmission in error, > please immediately reply to the sender and delete this information from your > system. Use, dissemination, distribution, or reproduction of this > transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: limiting number of recursion/queries per IP address
iptables is available in most Linux distros and it is definitely better to block things there than in BIND itself. I don't know that BIND has a rate limiter. It DOES have a "blacklist" option where you can completely block a site's access to it but as noted above it is better to do it in iptables or firewall because then it never gets to BIND in the first place. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Kebba Foon Sent: Tuesday, October 26, 2010 3:29 PM To: bind-users@lists.isc.org Subject: RE: limiting number of recursion/queries per IP address On Tue, 2010-10-26 at 15:22 -0400, Todd Snyder wrote: > What version of bind, on what OS? > I use Debian 5.0 with bind 9.6-ESV-R1 but also i thought that the OS might have some security holes so i try FreeBSD 8.1 with BIND 9.7.1 but still have ihave the same problems. > here may be some things you can do with iptables to limit connections > > http://www.debian-administration.org/articles/187 > i will just look into these but it done thing iptables will be the ideal solution. > I don't recall seeing anything native to BIND that would allow for limits per src. > > t. > > -Original Message- > From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of Kebba Foon > Sent: Tuesday, October 26, 2010 2:27 PM > To: bind-users@lists.isc.org > Subject: limiting number of recursion/queries per IP address > > Dear List, > > Is is possible to limit the number of recursion/queries per IP address. > there is some kind of virus thats bombarding my dns servers with a lot > of queries, i realize that when ever the total number of recursion > clients reach 1000 dns resolution stop working. i have increase the > recursive-clients to 1 but still these those not help. and also i > have increase the number of max open files on my OS which at one point > was complaining about too many open files. can someone please direct me > to how best to solve this problem its some kind of DDOS. > > Thanks > Kebba > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > - > This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
