Understanding BIND DNS Security Vulnerabilities and Configuration

Dive into the world of BIND DNS with a focus on security vulnerabilities, zone transfer restrictions, rate limiting, and essential configuration options. Explore key topics such as ISC mailing lists, CVE announcements, and best practices for setting up BIND DNS servers.

• BIND DNS
• Security
• Vulnerabilities
• Configuration
• Zone Transfer

taki_11 Follow

Uploaded on Sep 07, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. DNS 1

2. Bind BIND 9 Security Vulnerability Matrix ISC mailing lists Bind Rate limit Zone Transfer TSIG Zone Transfer

3. Bind (1) 9.9.9 9.10.4 9.11.0 3

4. Bind (2) BIND 9 Security Vulnerability Matrix 4

5. Bind (3) ISC mailing lists bind-announce CVE bind-users Bind 5

6. Bind (4) gcc, make, openssl, libxm2 named Version $ named -Version BIND 9.9.9-P3 (Extended Support Version) <id:1b68143> running on Linux x86_64 2.6.32-431.29.2.el6.x86_64 #1 SMP Tue Sep 9 21:36:05 UTC 2014 built by make with '--prefix=/usr' '--sysconfdir=/etc' '--localstatedir=/var' '--enable-ipv6' '--enable-threads' '--enable-rrl' compiled by GCC 4.4.7 20120313 (Red Hat 4.4.7-4) compiled with OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013 linked to OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013 compiled with libxml2 version: 2.7.6 linked to libxml2 version: 20706 6

7. Bind (5) ./configure make DNS bind DNS bind make install bind Getting started with BIND - how to build and run named with a basic recursive configuration 7

8. Bind BIND 9 Security Vulnerability Matrix ISC mailing lists Bind Rate limit Zone Transfer TSIG Zone Transfer

9. Bind (1) acl acl-name { address_match_list }; acl allowips" { 10.0.1.1; 192.168.0.0/30; // 4 IPs }; zone "example.com" { type slave; file "slave.example.com"; allow-notify { "allowips"; }; }; 9

10. Bind (2) allow-query /etc/named.conf options { allow-query { any; }; } recursion /etc/named.conf options { recursion no; } 10

11. Bind (3) Rate limit options { logging { rate-limit { channel rate_log { file "/Path/to/log" versions 3 size 10m; severity info; print-severity no; print-time yes; }; category rate-limit { rate_log;}; responses-per-second 10; nxdomains-per-second 5; exempt-clients { 61.220.0.0/20; 173.194.93.0/24; }; log-only no; }; }; }; 11

12. Bind (4) Zone Transfer /etc/named.conf options { allow-transfer { 192.168.0.1; 10.0.1.1; }; }; 12

13. Bind (5) TSIG Zone Transfer Master /etc/named.conf key KEYNAME" { algorithm hmac-md5; secret KEY_STRING"; }; options { allow-transfer { key KEYNAME; }; }; 13

14. Bind (6) TSIG Zone Transfer Slave /etc/named.conf key KEYNAME" { algorithm hmac-md5; secret KEY_STRING"; }; server Master_IP_address { keys { KEYNAME; }; }; 14

15. Bind (7) TSIG Zone Transfer Log Slave dd-mm-YYYY HH:MM:SS.sss zone DomainName/IN: Transfer started. dd-mm-YYYY HH:MM:SS.sss transfer of 'DomainName/IN' from Master_IP_address#53: connected using Slave_IP_address#54518 dd-mm-YYYY HH:MM:SS.sss zone DomainName/IN: transferred serial 1479862862: TSIG 'KEYNAME' dd-mm-YYYY HH:MM:SS.sss transfer of 'DomainName/IN' from Master_IP_address#53: Transfer status: success dd-mm-YYYY HH:MM:SS.sss transfer of 'DomainName/IN' from Master_IP_address#53: Transfer completed: 1 messages, 6 records, 279 bytes, 0.001 secs (279000 bytes/sec) Master dd-mm-YYYY HH:MM:SS.sss client Slave_IP_address#54518/key KEYNAME (DomainName): transfer of 'DomainName/IN': AXFR-style IXFR started: TSIG KEYNAME dd-mm-YYYY HH:MM:SS.sss client Slave_IP_address#54518/key KEYNAME (DomainName): transfer of 'DomainName/IN': AXFR-style IXFR ended 15

16. 16