I followed the instructions in Falko's howto but I came up against a problem. My system is Etch (stable) after an apt-get update I tried to apt-get install bind9 bind9-host and was told they were up to date. Just to check I did apt-get -s install -t unstable bind9 bind9-host and this time was told there was a new version, problem is that among other things it wants to remove several packages that I need. What can I do to install the patched version of bind? thx Alan
Hey, Did you run the command to find out if your DNS needs the patch? Also, can you be specific about your system setup and what packages it wants to remove? Rocky
Rocky, In answer to your questions: I ran the the test and my DNS needs to be upgraded. The result of the apt-get: apt-get -s install bind9 bind9-host -t unstable Reading package lists... Done Building dependency tree... Done The following extra packages will be installed: bind9utils gnupg libasn1-8-heimdal libattr1 libbind9-40 libc6 libc6-dev libc6-i386 libcap2 libdb4.6 libdns43 libgcrypt11 libgcrypt11-dev libgnutls26 libhdb9-heimdal libheimntlm0-heimdal libhx509-3-heimdal libisc41 libisccc40 libisccfg40 libkadm5clnt7-heimdal libkadm5srv8-heimdal libkafs0-heimdal libkeyutils1 libkrb5-25-heimdal libkrb53 libldap-2.4-2 liblwres40 libnfsidmap2 libpcre3 libroken18-heimdal libssl-dev libssl0.9.8 libwind0-heimdal libxml2 locales tzdata Suggested packages: resolvconf gnupg-doc libpcsclite1 glibc-doc manpages-dev rng-tools libgcrypt11-doc gnutls-bin krb5-doc krb5-user The following packages will be REMOVED: apache-common apache2 apache2-mpm-prefork apache2-utils apache2.2-common cupsys heimdal-dev libapache-mod-php4 libapache2-mod-defensible libapache2-mod-geoip libapache2-mod-php5 libapache2-mod-security2 libaprutil1 libhdb7-heimdal libkadm5clnt4-heimdal libkadm5srv7-heimdal libldap2 mod-security2-common php4 php4-imap php4-mysql samba samba-common sasl2-bin smbclient smbfs squid The following NEW packages will be installed: bind9utils libasn1-8-heimdal libbind9-40 libcap2 libdb4.6 libdns43 libgnutls26 libhdb9-heimdal libheimntlm0-heimdal libhx509-3-heimdal libisc41 libisccc40 libisccfg40 libkadm5clnt7-heimdal libkadm5srv8-heimdal libkeyutils1 libkrb5-25-heimdal libldap-2.4-2 liblwres40 libroken18-heimdal libwind0-heimdal The following packages will be upgraded: bind9 bind9-host gnupg libattr1 libc6 libc6-dev libc6-i386 libgcrypt11 libgcrypt11-dev libkafs0-heimdal libkrb53 libnfsidmap2 libpcre3 libssl-dev libssl0.9.8 libxml2 locales tzdata 18 upgraded, 21 newly installed, 27 to remove and 536 not upgraded. As you can see it will remove apache2 and cupsys (not good, because I use both of them). Any suggestions? TIA
apt-get -s install bind9 bind9-host Reading package lists... Done Building dependency tree... Done bind9 is already the newest version. bind9-host is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 33 not upgraded. BTW: the version installed is 9.3.4
Moving from "POOR" to "GREAT" I had the same problem described here. I fixed it by editing my /etc/bind/named.conf file to comment out "port 53" as the "query-source address." The Debian Etch named.conf file provides the explanation behind the query-source address issue (no longer up to date, in light of the current cache poisoning problem and fix): // If there is a firewall between you and nameservers you want // to talk to, you might need to uncomment the query-source // directive below. Previous versions of BIND always asked // questions using port 53, but BIND 8.1 and later use an unprivileged // port by default. // query-source address * port 53; I originally had the query source line UNcommented. I don't have the firewall issue, so re-commenting the line was not a problem. However, I'm not sure what folks who have a firewall issue would do.... Good luck.
Here´s my /etc/apt/sources.list # deb http://ftp.debian.org/debian/ etch main deb http://ftp.debian.org/debian/ etch main contrib non-free deb-src http://ftp.debian.org/debian/ etch main deb http://security.debian.org/ etch/updates main contrib non-free deb-src http://security.debian.org/ etch/updates main contrib ## deb http://mirrors.kernel.org/debian/ unstable main contrib non-free deb ftp://mirrors.kernel.org/debian/ unstable main contrib non-free deb-src ftp://mirrors.kernel.org/debian/ unstable main deb http://mirrors.kernel.org/debian/ testing main contrib non-free deb-src http://mirrors.kernel.org/debian/ testing main deb http://volatile.debian.net/debian-volatile etch/volatile main deb http://www.backports.org/debian etch-backports main contrib non-free and just in case, /etc/apt/preferences Package: * Pin: release a=stable Pin-Priority: 700 Package: * Pin: release a=testing Pin-Priority: 650 Package: * Pin: release a=unstable Pin-Priority: 600 as per the comments of the previous poster I have already made some changes to my bind config. I am using it at as a caching server so I limited access to clients on my network and blocked transfers. Now when I run the poisoned cache test I get a "good" result. But I would still like to understand why I cannot install the latest version of bind. Thx.
Sorry for the delay. I commented out all of the repositories except stable and I still get the same result. Just to be sure about this: the bind version reported on my system is 9.3.4 I looked it up and according to debian.org this is the latest "stable" version. Is there a later version which fixes the dns cache poisoning issue? Thx