• Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Bind / named security

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> UNIX // GNU/Linux

View previous topic :: View next topic  
Author Message
Forum Fanatic
Forum Fanatic

Joined: 18 Apr 2002
Posts: 16777201
Location: ~/security-forums


PostPosted: Mon Jan 06, 2003 12:40 am    Post subject: Bind / named security Reply with quote

• Zone transfers should only be permitted by master name servers to update the zone
(domain) information in their slave servers. Failure to do so may result in IP numbers and
hostnames being revealed to unauthorized users. Restrict queries to only public domains.
Suitable for name servers with both public and private zones.

// Allow transfer only to our slave name server. Allow queries
// only by hosts in the network.
zone “mydomain.com” {
type master;
file “master/db.mydomain.com”;
allow-transfer {; };
allow-query {; };

• Deny and log queries for our version number except from the local host. The ability to
determine the bind version enables an attacker to find the corresponding exploit for that

// Disable the ability to determine the version of BIND running
zone “bind” chaos {
type master;
file “master/bind”;
allow-query { localhost; };

The ./master/bind file should then contain:

$TTL 1d
@ CHAOS SOA localhost. root.localhost. (
1 ; serial
3H ; refresh
15M ; retry
1W ; expire
1D ) ; minimum
NS localhost.

• Control which interfaces named listens on. Restricting the interfaces on which named
runs can limit the exposure to only the necessary networks.
listen-on {; };

• Use Access Control Lists to classify groups of hosts with differing degrees of trust. The
“internal” ACL label might be used to describe internal hosts that are permitted a greater
degree of access to the information than other hosts might be. Before it can be used it
must be defined:

acl “internal” {
{;; };

It can then be used in “zone” statements or the main “options” statement:
zone “inside.mynet.com” {
type master;
file “master/inside.mynet.com”;
allow-query { “internal”; };

• Configure BIND to run as a normal user. Once BIND has been started, it has the ability
to relinquish its privileges, and run as a user with limited abilities instead of root.
# useradd -M -r -d /var/named -s /bin/false named
# groupadd -r named

This account should be used for nothing other than running the name server. Ensure the
zone files are readable by the named user. It is then necessary to modify the default
named init script, typically found in /etc/rc.d/init.d/named on Red Hat or
/etc/init.d/named on Debian:
/usr/sbin/named -u named -g named

It is also possible to run named in a “chroot jail” which helps to restrict the damage that
can be done should named be subverted.
Back to top
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> UNIX // GNU/Linux All times are GMT + 2 Hours
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register