Date: Tue, 30 Jan 2001 17:32:42 -0600 (CST) From: David La Croix <dlacroix@cowpie.acm.vt.edu> To: fbsd-secure@ursine.com (Michael Bryan) Cc: freebsd-security@freebsd.org Subject: Re: Bind: unapproved query (version.bind) Script kiddies? Message-ID: <200101302332.SAA12914@cowpie.acm.vt.edu> In-Reply-To: <3A7745E9.ABA027AD@ursine.com> from Michael Bryan at "Jan 30, 1 02:53:29 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> Almost certainly script kiddies looking to find vulnerable versions of BIND.
> It might be related to the pre-8.2.3 bugs, or it might be earlier bugs that
> they're looking for. Certainly anything before a week or two ago is most likely
> somebody looking for one of the earlier bugs.
>
> Out of curiousity, what do you have setup in named.conf (or elsewhere) to block
> queries for version.bind?
It's not so much blocking queries to version.bind, so much as refusing to
answer queries to an untrusted host, about domains it does not host.
options {
directory "/etc/namedb";
allow-query {
127.0.0.1;
localnets;
};
allow-transfer {
0.0.0.0; /* IPs changed */
0.0.0.0; /* secondary DNS servers */
};
forwarders {
0.0.0.0; 0.0.0.0;
};
};
and then further down all my zone definitions look like:
zone "mydomain.com" {
type master;
file "zones/mydomain.com";
allow-query { any; };
};
Basically: refuse queries for any domains I'm not master or slave for,
and only allow domain transfers to the known/trusted secondary
nameservers for my domains. (as far as you can trust based on IP address)
I'm sure others have even more restrictive setups that work. (require
keys to do zone transfers, listen on only one IP address, etc)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200101302332.SAA12914>