[conspire] DNS vulnerability details

Rick Moen rick at linuxmafia.com
Mon Jul 28 00:39:09 PDT 2008

Quoting Ruben Safir (ruben at mrbrklyn.com):

> so I'm going to remove the old SuSE name server and install from the
> bind site the latest Beta code. 

Hmm, in general, you should go to upstream tarballs only as a last
resort.  It's difficult to believe that there are no proper distro
packages for the recent BIND9 P1 updates on non-EoLed releases of SUSE
or any other Linux distro.  So, why go to upstream if you don't have to?
There are disadvantages (http://linuxgazette.net/118/weatherwax.html#1).

If on the other hand there are _not_ timely security updates for a given
distro, then I'd suggest moving away from that distro.

> How much tinkering will I need to
> do with my named.conf file or the DNS records?

DNS records:  None at all.  If you follow what a caching
recursive-resolver nameserver is, the reason will be apparent:  That's a
nameserver that is not itself purporting to be authoritative for any
domain.  It knows about DNS reference records (RRs) only what it queries
from _other_ nameservers that are in the chain of authority for those

named.conf file:  _Should_ be none at all.  Be aware that, on many well
architected distros (**cough Debian cough**), the admin should never
need to touch the named.conf file itself, in any event:  On such
distros, any site-specific options should be entered into a separate
file such as named.conf.options (which then is #include'd from
named.conf).  Authoritative data if any, i.e., location of zonefiles, 
typically goes into a separate #include file, such as named.conf.local.

Please see one of my earlier posts for suggestions about what should and
should not go into BIND9 options.  To recap:  1.  You want to carefully
avoid requiring BIND9 to originate queries from a fixed port (e.g., 53), 
which fixed-port requirement can be done with a "query-source" line.  2.
You want to limit which IPs can send your nameserver recursive-queries,
using an "allow-recursioh" stanza -- which is probably there by default.
When in doubt, allow only -- the loopback IP -- to send the
nameserver recursive queries.

Those _should_ already be set correctly by default; the above
explanation is just in case, and for your general knowledge.

More information about the conspire mailing list