BIND DNS Security Vulnerabilities and Configuration
undefined
1
DNS
版本升級及
安全設定
Bind
版本升級
可用版本
BIND 9 Security Vulnerability Matrix
手動編譯
Bind
安全設定
存取控制清單
限制來源查詢要求
Rate limit
Zone Transfer
限制
TSIG Zone TransferISC mailing lists
Bind
版本升級
(1)
可用版本
9.9.9 9.10.4 9.11.0
3
Bind
版本升級
(2)
BIND 9 Security Vulnerability Matrix
4
Bind
版本升級
(3)
ISC mailing lists
bind-announce
新版本通知
CVE
通知
bind-users
Bind
用戶提問
5
Bind
版本升級
(4)
手動編譯
編譯環境需求
gcc
,
make
,
openssl
,
libxm2
取得編譯設定
named –Version
6
$
n
a
m
e
d
-
V
e
r
s
i
o
n
BIND 9.9.9-P3 (Extended Support Version) <id:1b68143>
running on Linux x86_64 2.6.32-431.29.2.el6.x86_64 #1 SMP Tue Sep 9 21:36:05 UTC 2014
b
u
i
l
t
b
y
m
a
k
e
w
i
t
h
'
-
-
p
r
e
f
i
x
=
/
u
s
r
'
'
-
-
s
y
s
c
o
n
f
d
i
r
=
/
e
t
c
'
'
-
-
l
o
c
a
l
s
t
a
t
e
d
i
r
=
/
v
a
r
'
'
-
-
e
n
a
b
l
e
-
i
p
v
6
'
'
-
-
e
n
a
b
l
e
-
t
h
r
e
a
d
s
'
'
-
-
e
n
a
b
l
e
-
r
r
l
'
c
o
m
p
i
l
e
d
b
y
G
C
C
4
.
4
.
7
2
0
1
2
0
3
1
3
(
R
e
d
H
a
t
4
.
4
.
7
-
4
)
c
o
m
p
i
l
e
d
w
i
t
h
O
p
e
n
S
S
L
v
e
r
s
i
o
n
:
O
p
e
n
S
S
L
1
.
0
.
1
e
1
1
F
e
b
2
0
1
3
linked to OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013
c
o
m
p
i
l
e
d
w
i
t
h
l
i
b
x
m
l
2
v
e
r
s
i
o
n
:
2
.
7
.
6
linked to libxml2 version: 20706
Bind
版本升級
(5)
手動編譯安裝
解壓縮原始碼壓縮檔
./configure
編譯參數
make
若在
DNS
主機上編譯直接進行下一步驟安裝
,
若在編譯主機
上則打包整個
bind
原始碼目錄到
DNS
主機上進行下一步驟
安裝
停止
bind
服務
make install
啟動
bind
服務
參考資料
Getting started with BIND - how to build and run named with a basic recursive configuration
7
Bind
版本升級
可用版本
BIND 9 Security Vulnerability Matrix
ISC mailing lists
手動編譯
Bind
安全設定
存取控制清單
限制來源查詢要求
Rate limit
Zone Transfer
限制
TSIG Zone Transfer
Bind
安全設定
(1)
存取控制清單
9
acl acl-name {address_match_list
};
acl “allowips" {10.0.1.1;
192.168.0.0/30; // 4 IPs
};
zone "example.com" {type slave;
file "slave.example.com";
allow-notify { "allowips"; };};
Bind
安全設定
(2)
限制來源查詢要求
allow-query
/etc/named.conf
options {allow-query { any; };}
recursion
/etc/named.conf
options {recursion no;
}
10
Bind
安全設定
(3)
Rate limit
11
options { rate-limit {responses-per-second 10;
nxdomains-per-second 5;
exempt-clients {61.220.0.0/20;
173.194.93.0/24;
};
log-only no;
};
};
logging { channel rate_log {file "/Path/to/log" versions 3 size 10m;
severity info;
print-severity no;
print-time yes;
};
category rate-limit { rate_log;};};
Bind
安全設定
(4)
Zone Transfer
限制
/etc/named.conf
options {allow-transfer {192.168.0.1;
10.0.1.1;
};
};
12
Bind
安全設定
(5)
TSIG Zone Transfer
Master
/etc/named.conf
13
key “KEYNAME" {algorithm hmac-md5;
secret “KEY_STRING";
};
options { allow-transfer {key KEYNAME;
};
};
Bind
安全設定
(6)
TSIG Zone Transfer
Slave
/etc/named.conf
14
key “KEYNAME" {algorithm hmac-md5;
secret “KEY_STRING";
};
server Master_IP_address { keys { KEYNAME; };};
Bind
安全設定
(7)
TSIG Zone Transfer
Log
15
S
l
a
v
e
dd-mm-YYYY HH:MM:SS.sss zone DomainName/IN: Transfer started.
dd-mm-YYYY HH:MM:SS.sss transfer of 'DomainName/IN' from Master_IP_address#53: connected using
Slave_IP_address#54518
d
d
-
m
m
-
Y
Y
Y
Y
H
H
:
M
M
:
S
S
.
s
s
s
z
o
n
e
D
o
m
a
i
n
N
a
m
e
/
I
N
:
t
r
a
n
s
f
e
r
r
e
d
s
e
r
i
a
l
1
4
7
9
8
6
2
8
6
2
:
T
S
I
G
'
K
E
Y
N
A
M
E
'
dd-mm-YYYY HH:MM:SS.sss transfer of 'DomainName/IN' from Master_IP_address#53: Transfer status:
success
dd-mm-YYYY HH:MM:SS.sss transfer of 'DomainName/IN' from Master_IP_address#53: Transfer
completed: 1 messages, 6 records, 279 bytes, 0.001 secs (279000 bytes/sec)
M
a
s
t
e
r
d
d
-
m
m
-
Y
Y
Y
Y
H
H
:
M
M
:
S
S
.
s
s
s
c
l
i
e
n
t
S
l
a
v
e
_
I
P
_
a
d
d
r
e
s
s
#
5
4
5
1
8
/
k
e
y
K
E
Y
N
A
M
E
(
D
o
m
a
i
n
N
a
m
e
)
:
t
r
a
n
s
f
e
r
o
f
'
D
o
m
a
i
n
N
a
m
e
/
I
N
'
:
A
X
F
R
-
s
t
y
l
e
I
X
F
R
s
t
a
r
t
e
d
:
T
S
I
G
K
E
Y
N
A
M
E
dd-mm-YYYY HH:MM:SS.sss client Slave_IP_address#54518/key KEYNAME (DomainName): transfer of
'DomainName/IN': AXFR-style IXFR ended
16
感謝
Dive into the world of BIND DNS with a focus on security vulnerabilities, zone transfer restrictions, rate limiting, and essential configuration options. Explore key topics such as ISC mailing lists, CVE announcements, and best practices for setting up BIND DNS servers.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
DNS 1
Bind BIND 9 Security Vulnerability Matrix ISC mailing lists Bind Rate limit Zone Transfer TSIG Zone Transfer
Bind (1) 9.9.9 9.10.4 9.11.0 3
Bind (2) BIND 9 Security Vulnerability Matrix 4
Bind (3) ISC mailing lists bind-announce CVE bind-users Bind 5
Bind (4) gcc, make, openssl, libxm2 named Version $ named -Version BIND 9.9.9-P3 (Extended Support Version) <id:1b68143> running on Linux x86_64 2.6.32-431.29.2.el6.x86_64 #1 SMP Tue Sep 9 21:36:05 UTC 2014 built by make with '--prefix=/usr' '--sysconfdir=/etc' '--localstatedir=/var' '--enable-ipv6' '--enable-threads' '--enable-rrl' compiled by GCC 4.4.7 20120313 (Red Hat 4.4.7-4) compiled with OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013 linked to OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013 compiled with libxml2 version: 2.7.6 linked to libxml2 version: 20706 6
Bind (5) ./configure make DNS bind DNS bind make install bind Getting started with BIND - how to build and run named with a basic recursive configuration 7
Bind BIND 9 Security Vulnerability Matrix ISC mailing lists Bind Rate limit Zone Transfer TSIG Zone Transfer
Bind (1) acl acl-name { address_match_list }; acl allowips" { 10.0.1.1; 192.168.0.0/30; // 4 IPs }; zone "example.com" { type slave; file "slave.example.com"; allow-notify { "allowips"; }; }; 9
Bind (2) allow-query /etc/named.conf options { allow-query { any; }; } recursion /etc/named.conf options { recursion no; } 10
Bind (3) Rate limit options { logging { rate-limit { channel rate_log { file "/Path/to/log" versions 3 size 10m; severity info; print-severity no; print-time yes; }; category rate-limit { rate_log;}; responses-per-second 10; nxdomains-per-second 5; exempt-clients { 61.220.0.0/20; 173.194.93.0/24; }; log-only no; }; }; }; 11
Bind (4) Zone Transfer /etc/named.conf options { allow-transfer { 192.168.0.1; 10.0.1.1; }; }; 12
Bind (5) TSIG Zone Transfer Master /etc/named.conf key KEYNAME" { algorithm hmac-md5; secret KEY_STRING"; }; options { allow-transfer { key KEYNAME; }; }; 13
Bind (6) TSIG Zone Transfer Slave /etc/named.conf key KEYNAME" { algorithm hmac-md5; secret KEY_STRING"; }; server Master_IP_address { keys { KEYNAME; }; }; 14
Bind (7) TSIG Zone Transfer Log Slave dd-mm-YYYY HH:MM:SS.sss zone DomainName/IN: Transfer started. dd-mm-YYYY HH:MM:SS.sss transfer of 'DomainName/IN' from Master_IP_address#53: connected using Slave_IP_address#54518 dd-mm-YYYY HH:MM:SS.sss zone DomainName/IN: transferred serial 1479862862: TSIG 'KEYNAME' dd-mm-YYYY HH:MM:SS.sss transfer of 'DomainName/IN' from Master_IP_address#53: Transfer status: success dd-mm-YYYY HH:MM:SS.sss transfer of 'DomainName/IN' from Master_IP_address#53: Transfer completed: 1 messages, 6 records, 279 bytes, 0.001 secs (279000 bytes/sec) Master dd-mm-YYYY HH:MM:SS.sss client Slave_IP_address#54518/key KEYNAME (DomainName): transfer of 'DomainName/IN': AXFR-style IXFR started: TSIG KEYNAME dd-mm-YYYY HH:MM:SS.sss client Slave_IP_address#54518/key KEYNAME (DomainName): transfer of 'DomainName/IN': AXFR-style IXFR ended 15
