DNS Vulnerable

Discussion in 'Installation/Configuration' started by gobokster, May 6, 2009.

  1. gobokster

    gobokster New Member

    hi ..

    i did a prevent test dns server vulnerable to dns zone transfer attack from http://isc1.sans.org/dnstest.html on my dns server but the result

    "BAD, your name server responded to the query"

    is there a way that i can secure my DNS server from zone transfer attack root cache?

    btw my OS is Centos 5.3 and my bind version is BIND 9.3.4-P1

    thank you in advanced
     
    gobokster, May 6, 2009
    #1
  2. commentator

    commentator Member

    you can edit
    /root/ispconfig/isp/conf/named.conf.master

    and add (in option part):
    recursion no;
    additional-from-auth no;
    additional-from-cache no;

    to fix it

    make a change to one of your dns items in your controllpanel to write the new config.
     
    Last edited: May 6, 2009
    commentator, May 6, 2009
    #2
  3. gobokster

    gobokster New Member

    thank you for the response .. but i'm not very clear of the instructions ..

    i've edited the /root/ispconfig/isp/conf/named.conf.master to

    Code:
    options {
        pid-file "/var/named/chroot/var/run/named/named.pid";
        directory "{BINDDIR}";
        auth-nxdomain no;
        recursion no;
        additional-from-auth no;
        additional-from-cache no;
         /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
        // query-source address * port 53;
};

//
// a caching only nameserver config
//
zone "." {
        type hint;
        file "named.root";
};

zone "0.0.127.in-addr.arpa" {
        type master;
        file "named.local";
};

<!-- BEGIN DYNAMIC BLOCK: named_reverse -->
zone "{ZONE}.in-addr.arpa" {
        type master;
        file "pri.{ZONE}.in-addr.arpa";
};
<!-- END DYNAMIC BLOCK: named_reverse -->

<!-- BEGIN DYNAMIC BLOCK: named -->
zone "{DOMAIN}" {
        type master;
        file "pri.{DOMAIN}";
};
<!-- END DYNAMIC BLOCK: named -->

<!-- BEGIN DYNAMIC BLOCK: named_slave -->
zone "{DOMAIN}" {
        type slave;
        file "sec.{DOMAIN}";
        masters { {MASTERS}; };
};
<!-- END DYNAMIC BLOCK: named_slave -->

//// MAKE MANUAL ENTRIES BELOW THIS LINE! ////
    but i'm not sure what to do in the ispcontrol panel .. did i have to change the named.conf path to the one i edited .. or can i just edited named.conf that i just supplied in the ispcontrol panel /var/named/chroot/etc/named.conf .. will it break it.
     
    gobokster, May 7, 2009
    #3
  4. falko

    falko Super Moderator Howtoforge Staff

    After you've changed the template, you must modify/add/delete a zone in ISPConfig (you can undo your changes afterwards) so that ISPConfig writes a new named.conf from the template.
     
    falko, May 7, 2009
    #4
  5. gobokster

    gobokster New Member

    thank for the answers falko .. i'll do as suggested
     
    gobokster, May 8, 2009
    #5

Share This Page