Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian User (http://www.linux-archive.org/debian-user/)
-   -   question about bind9 from a clueless paranoid (http://www.linux-archive.org/debian-user/509736-question-about-bind9-clueless-paranoid.html)

Paul E Condon 04-04-2011 01:13 PM

question about bind9 from a clueless paranoid
 
I'm running Wheezy on several i386 boxes. Over the weekend I installed
bind9 and dhcp3-server on one of them. While starting to set up dynDNS,
I noticed a comment in /etc/bind/named.conf.options (this is a file
that had just been installed by the bind9 package):

// ports to talk. See http://www.kb.cert.org/vuls/id/800113

I look at the page at the URL. It concerns poisoning of the DNS cache.
Debian is listed as being vulnerable and my D-Link DI-604 as unknown
vulnerability. The document dates from 2008, and my D-Link router was
purchased in 2004. It seems serious to this somewhat clueless geezer
so I decide to investigate further.

But I can't find any information more recent than 2008 by
googling. Surely there have been some more recent developments.
What has happened? Surely something has happened, but I find nothing.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110404131357.GC14745@big.lan.gnu">http://lists.debian.org/20110404131357.GC14745@big.lan.gnu

Camaleón 04-04-2011 03:35 PM

question about bind9 from a clueless paranoid
 
On Mon, 04 Apr 2011 07:13:57 -0600, Paul E Condon wrote:

> I'm running Wheezy on several i386 boxes. Over the weekend I installed
> bind9 and dhcp3-server on one of them. While starting to set up dynDNS,
> I noticed a comment in /etc/bind/named.conf.options (this is a file that
> had just been installed by the bind9 package):
>
> // ports to talk. See http://www.kb.cert.org/vuls/id/800113
>
> I look at the page at the URL. It concerns poisoning of the DNS cache.
> Debian is listed as being vulnerable

It should not be vulnerable... at least wheezy:

http://www.kb.cert.org/vuls/id/MIMG-7ECL6S

> and my D-Link DI-604 as unknown
> vulnerability. The document dates from 2008, and my D-Link router was
> purchased in 2004. It seems serious to this somewhat clueless geezer so
> I decide to investigate further.

You can ask D-Link for a firmware update but I can guess the answer: "
your product has been discontinued, please, update (aka: buy) to another
supported one".

BTW, none of my routers are listed there ;-(

> But I can't find any information more recent than 2008 by googling.
> Surely there have been some more recent developments. What has happened?
> Surely something has happened, but I find nothing.

I remember it was a very commented notice when it was disclosed (that was
the Kaminsky's DNS bug, right?).

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: pan.2011.04.04.15.35.48@gmail.com">http://lists.debian.org/pan.2011.04.04.15.35.48@gmail.com

Tom H 04-04-2011 05:20 PM

question about bind9 from a clueless paranoid
 
On Mon, Apr 4, 2011 at 9:13 AM, Paul E Condon <pecondon@mesanetworks.net> wrote:
> I'm running Wheezy on several i386 boxes. Over the weekend I installed
> bind9 and dhcp3-server on one of them. While starting to set up dynDNS,
> I noticed a comment in /etc/bind/named.conf.options (this is a file
> that had just been installed by the bind9 package):
>
> * * * *// ports to talk. *See http://www.kb.cert.org/vuls/id/800113
>
> I look at the page at the URL. It concerns poisoning of the DNS cache.
> Debian is listed as being vulnerable and my D-Link DI-604 as unknown
> vulnerability. The document dates from 2008, and my D-Link router was
> purchased in 2004. It seems serious to this somewhat clueless geezer
> so I decide to investigate further.
>
> But I can't find any information more recent than 2008 by
> googling. Surely there have been some more recent developments.
> What has happened? Surely something has happened, but I find nothing.

http://lists.debian.org/debian-security-announce/2008/msg00184.html


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: BANLkTinq0AVJ=pg0Ok1-9BBj6jJAFzXwww@mail.gmail.com">http://lists.debian.org/BANLkTinq0AVJ=pg0Ok1-9BBj6jJAFzXwww@mail.gmail.com

Brian 04-04-2011 06:05 PM

question about bind9 from a clueless paranoid
 
On Mon 04 Apr 2011 at 07:13:57 -0600, Paul E Condon wrote:

> But I can't find any information more recent than 2008 by
> googling. Surely there have been some more recent developments.
> What has happened? Surely something has happened, but I find nothing.

The problem you might face will not lie with bind9 but with your router.
Source port randomization by the name server fixes cache poisoning
attacks on it. However, it is highly likely your router de-randomises
the queries due to NAT and PAT. Mine does and I do wonder whether any
more modern device intended for home use does any better. Data are not
readily available but it's not unlikely manufacturers see little to gain
by altering their firmware,

I came to the conclusion there was no risk to the server (unbound in my
case) as long as the server was not answering queries from outside my
network. Reassurance would be welcome but I'm pretty sure of that.

Part of my testing was done at

https://www.grc.com/dns/dns.htm

First with my ISP's servers in /etc/resolv.conf and then replacing them
with 127.0.0.1 and forwarding port 53 on the router to the machine
running unbound.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110404180551.GS7935@desktop">http://lists.debian.org/20110404180551.GS7935@desktop

Paul E Condon 04-06-2011 05:24 AM

question about bind9 from a clueless paranoid
 
On 20110404_190551, Brian wrote:
> On Mon 04 Apr 2011 at 07:13:57 -0600, Paul E Condon wrote:
>
> > But I can't find any information more recent than 2008 by
> > googling. Surely there have been some more recent developments.
> > What has happened? Surely something has happened, but I find nothing.
>
> The problem you might face will not lie with bind9 but with your router.
> Source port randomization by the name server fixes cache poisoning
> attacks on it. However, it is highly likely your router de-randomises
> the queries due to NAT and PAT. Mine does and I do wonder whether any
> more modern device intended for home use does any better. Data are not
> readily available but it's not unlikely manufacturers see little to gain
> by altering their firmware,
>
> I came to the conclusion there was no risk to the server (unbound in my
> case) as long as the server was not answering queries from outside my
> network. Reassurance would be welcome but I'm pretty sure of that.
>
> Part of my testing was done at
>
> https://www.grc.com/dns/dns.htm

Thanks for this! But there is a lot to read (and hopefully understand)
One specific question: what is mean by 'unbound' in this context?

>
> First with my ISP's servers in /etc/resolv.conf and then replacing them
> with 127.0.0.1 and forwarding port 53 on the router to the machine
> running unbound.
And again here?


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110406052447.GD14745@big.lan.gnu">http://lists.debian.org/20110406052447.GD14745@big.lan.gnu

Brian 04-06-2011 11:14 AM

question about bind9 from a clueless paranoid
 
On Tue 05 Apr 2011 at 23:24:47 -0600, Paul E Condon wrote:

> On 20110404_190551, Brian wrote:
> > I came to the conclusion there was no risk to the server (unbound in my
> > case) as long as the server was not answering queries from outside my
> > network. Reassurance would be welcome but I'm pretty sure of that.
> >
> > Part of my testing was done at
> >
> > https://www.grc.com/dns/dns.htm
>
> Thanks for this! But there is a lot to read (and hopefully understand)
> One specific question: what is mean by 'unbound' in this context?

Unbound is a DNS server; an alternative to BIND.

> > First with my ISP's servers in /etc/resolv.conf and then replacing them
> > with 127.0.0.1 and forwarding port 53 on the router to the machine
> > running unbound.
> And again here?

Forwarding on the router isn't necessary to test the affect the router
has on Source Port Randomness. Check /etc/bind/named.conf to ensure there
is no forwarding of DNS requests to another resolver. Edit resolv.conf to
use only 'nameserver 127.0.0.1'. Start BIND.

http://entropy.dns-oarc.net/test/

is quicker than grc.com to return a test result. You'll likely get a
rating of POOR but, assuming queries from the internet are not served,
your DNS cache cannot be poisoned because there is no access to it from
the outside.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110406111404.GU7935@desktop">http://lists.debian.org/20110406111404.GU7935@desktop

Paul E Condon 04-06-2011 06:20 PM

question about bind9 from a clueless paranoid
 
On 20110406_121404, Brian wrote:
> On Tue 05 Apr 2011 at 23:24:47 -0600, Paul E Condon wrote:
>
> > On 20110404_190551, Brian wrote:
> > > I came to the conclusion there was no risk to the server (unbound in my
> > > case) as long as the server was not answering queries from outside my
> > > network. Reassurance would be welcome but I'm pretty sure of that.
> > >
> > > Part of my testing was done at
> > >
> > > https://www.grc.com/dns/dns.htm
> >
> > Thanks for this! But there is a lot to read (and hopefully understand)
> > One specific question: what is mean by 'unbound' in this context?
>
> Unbound is a DNS server; an alternative to BIND.

OK, it's a pun ;-). Clueless I am.

>
> > > First with my ISP's servers in /etc/resolv.conf and then replacing them
> > > with 127.0.0.1 and forwarding port 53 on the router to the machine
> > > running unbound.
> > And again here?
>
> Forwarding on the router isn't necessary to test the affect the router
> has on Source Port Randomness. Check /etc/bind/named.conf to ensure there
> is no forwarding of DNS requests to another resolver. Edit resolv.conf to
> use only 'nameserver 127.0.0.1'. Start BIND.
>
To do this usefully, I have to first figure out how to configure my newly
installed instance of BIND9. Correct? I don't think I'm there yet...

> http://entropy.dns-oarc.net/test/
This gave me a passing grade on the dns resolver run by my ISP.
But there was one duplicate port number in the sample of 25 trys.
Maybe I should not worry, but I'm still curious about how the
system actually works.

Thanks for the pointer. Very fast.

>
> is quicker than grc.com to return a test result. You'll likely get a
> rating of POOR but, assuming queries from the internet are not served,
> your DNS cache cannot be poisoned because there is no access to it from
> the outside.

This contains information that's new to me. You seem to be saying
that my copy of BIND on my computer is building its own internal
cache. I don't see any reason why it couldn't contain a cache, but I
haven't read anywhere that it actually *does* have a cache
internally. Does it contain a cache?

Thanks.

--
Paul E Condon
pecondon@mesanetworks.net


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110406182042.GA963@big.lan.gnu">http://lists.debian.org/20110406182042.GA963@big.lan.gnu

Brian 04-06-2011 10:16 PM

question about bind9 from a clueless paranoid
 
On Wed 06 Apr 2011 at 12:20:42 -0600, Paul E Condon wrote:

> To do this usefully, I have to first figure out how to configure my newly
> installed instance of BIND9. Correct? I don't think I'm there yet...

If all you want to do is have named do lookups and cache the replies it
works without changing the installed configuration, Forwarders can be
designated in /etc/bind/named.conf.options.

> This contains information that's new to me. You seem to be saying
> that my copy of BIND on my computer is building its own internal
> cache. I don't see any reason why it couldn't contain a cache, but I
> haven't read anywhere that it actually *does* have a cache
> internally. Does it contain a cache?

The README.Debian mentions it. The cache kept in memory for a certain
length of time. Run, for example, 'dig debian.net' twice and look at the
Query Time. The second value should be close to 0 ms.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110406221619.GV7935@desktop">http://lists.debian.org/20110406221619.GV7935@desktop


All times are GMT. The time now is 07:39 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.