BIND DNS Cache Poisoning, how to update?

[WholesaleDialup]

Is anyone else worried about this issue in regards to their DA servers?
http://www.kb.cert.org/vuls/id/252735

This explains how the specific version of BIND which I am running and assume most other DA users are running is vulnerable to this threat..

I used the "Update DA" link and DA updated but I still have version Named 9.2.4 which is listed as one of the versions of BIND which vulnerable.

Is this something we should ignore? If not, what is the safe way to update this?

I am running CentOS 4.4 with only the software originally installed and since updated by DA. OK, I do have Webmin installed but that's the only deviation from plain Vanilla DA install.

Any thoughts, opinions or flames welcome..

 

[nobaloney]

The DirectAdmin update doesn't update anything except DirectAdmin. To update BIND you should use yum. Make sure that when you do that you do NOT update or install the chroot files. See your excludes line in /etc/yum.conf.

RedHat and CentOS do NOT rename programs when they fix them; they add suffixes. So if you've got the latest file installed by yum, you're fine.

However this should really be a moot point: you should NOT be running your local nameserver as a caching nameserver.

Jeff

 

[WholesaleDialup]

However this should really be a moot point: you should NOT be running your local nameserver as a caching nameserver.

Jeff

How do I know if I am running named as a caching nameserver?

If I prove that I am not, are you saying that I have no worries with this vulnerability?

Thanks for your help Jeff..

 

[WholesaleDialup]

The DirectAdmin update doesn't update anything except DirectAdmin. To update BIND you should use yum. Make sure that when you do that you do NOT update or install the chroot files. See your excludes line in /etc/yum.conf.

I have run "yum update bind" & "yum update bind" on another non da machine just to be safe, it doesn't grab a newer version of bind nor does it append the _2 or whatever indicating a patched version. I also ran a complete "yum update" on the non DA machine and still have the same version of bind/named running. The DA machine and the other non da machine I have been testing with both run the same version of CentOS.

Regarding the exclude line in yum.conf on the DA machine, I see:
named* what would I changed this to to allow named to be safely updated on DA?

I am guessing named-* would do it?

Then run "yum update named" at the command line?

Honestly, I have Zero desire to update if this isn't something I should be worrying about. I have just learned over the years to not sit and wait to get your server hammered due to some vulnerability.

Thanks again..

 

[WholesaleDialup]

Found this if anyone is interested:
https://www.dns-oarc.net/oarc/services/porttest

This explains how to check if your DNS server is vulnerable. I ran the test on my vanilla non-DA CentOS 4 machine running BIND version 9.2.4 and it came back GREAT. I ran the same test on my DA machine running the same version of BIND and CentOS and it came back POOR.

Go figure..

 

[nobaloney]

First ... yum will NOT update something that's not installed.

So your first step is to see which RPMs you've got installed:

$ rpm -qa | grep name
$ rpm -qa | bind

On my servers I have only the following installed:

bind-libs-9.2.4-30.el4
bind-utils-9.2.4-30.el4
bind-9.2.4-30.el4
ypbind-1.17.2-13

So you can leave named* in the exclude line.

Do you have caching-nameserver? If so, remove it; but before you do save these files:

/etc/sysconfig/named
/etc/named*
/var/named/*

(For the last one don't forget to save all the subdirectories, etc.)

Then check to see if you have to restore any of the files.

Second, check to see if your nameserver does recursion; you don't need to run a test to see if it is; all you need to do is:

$ dig @localhost +short www.nobaloney.net

If it returns an IP# it's a caching (recursive) nameserver. If it doesn't, it's not.

If it is look at the top section (the options section) of your /etc/named.conf file. Don't worry if it says in a comment at the top that it's a "caching nameserver" the ability to cache (do recursive lookups) can be turned off without removing a comment .

Ours has the line:

recursion no;

just before the }; line that ends the section. There are other ways of doing it, but this way keeps the server from doing recursive lookups for anyone.

If you're going to do it be sure your /etc/resolv.conf file has two other nameservers in it and doesn't have yours.

After you've made any changes restart BIND, and then try that lookup above, again, and afterwards a lookup for a domain on the server. The former shouldn't work; the latter should, or you've done something wrong.

Jeff

 

[rootbsd]

Jeff is right and has provided a simple way to check. Your DirectAdmin server is an *authoritative* DNS server and should not be used as a recursive DNS server. This means that individual computers/hosts should not have the IP of your DA server as one of its resolvers. Only queries for domains you are hosting should hit your DA DNS server.

 

[WholesaleDialup]

Jeff,

Thanks for all the help.. I am just new to BIND, I finally after all these years got away from MS DNS. I have been using it on DA since I started using DA but most of my other non DA DNS dealings have been with MS DNS. I am happy to get away from it but I am in the middle of the learning process with BIND.

Thanks for you all your help and the VERY detailed right up.

I will work through it a bit later tonight as soon as I clear a few other things I need to get done.

 

[lkbryant]

so does this mean that directadmin's setup script doesn't install bind for you?

i've initially thought it does (scratches head)

 

[nobaloney]

If it does, then it definitely does it only if BIND isn't already installed. Because we always install BIND from RPM at OS install time, and DirectAdmin has never installed BIND for us.

Jeff

 

[DirectAdmin Support]

Hello,

Correct, DA only only installed bind if it's not there. It's part of the setup.sh script.

John