[Courses] [Security] Zone Transfer and BIND security

Raven, corporate courtesan raven at oneeyedcrow.net
Fri Mar 15 15:50:22 EST 2002 

Heya --

Quoth Hamster (Thu, Mar 14, 2002 at 11:15:38AM +0100):
> A zone transfer happens when the one machine syncronises and updates
> its dns database with another.

	Right.  It's basically "give me all your records".  But if you
do maintain a DNS server and you want your secondary name servers to be
able to perform zone transfers, make sure that you limit the IPs that
can get them from you.  It's a common black hat technique to try and
pull a zone transfer for a domain that you intend to attack.  That way
you already know what machines there are for you to have a go at, rather
than having to ping and nslookup every machine in the IP block.  If you
let anyone get zone transfers from you (this is default in many versions
of BIND), you're leaving yourself open to this.

	To restrict this for BIND 8, put the following in /etc/named.conf
under your options directory:

options {
        directory "/usr/local/named"; 
	allow-transfer { 10.5.1.13; localhost; };
};

	Of course, replace those IPs with the IPs of any machines that
you want to be able to get zone transfers from you.  "none" is also a
valid option there.

	While you're at it, you may want to also turn off queries for
zones that aren't yours from any machine that's not on your local
network.  This helps prevent abuse of your DNS server.

options {
      	allow-query { 10.0.0.0/8; localhost; };
}; 

	Of course, change 10.0.0.0/8 to whatever your local netblock and
netmask are.

options {
	zone "example.com" {
      	allow-query { any; };
}; 
	zone "0.0.10.in-addr.arpa" {
      	allow-query { any; };
};

	And that example.com and in-addr.arpa get changed to whatever
your forward and reverse DNS zone file names actually are.

	Also, turning off recursive queries from anywhere except your
local network will help reduce the risk of external cache poisoning
attacks.

options {
        allow-recursion { 10.0.0.0/8; localhost; };
};

	BIND is one of the hardest services to secure, but it's well
worth trying.  Attacks on DNS can mask a multitude of other problems if
they're not detected.

Cheers,
Raven
 
"Sed, sed, awk.  Like duck, duck, goose.  Sync, sync, halt.  It's the
 order of nature."
  -- me, after too long a day at work

More information about the Courses mailing list