MadHag
Verified User
Is this a Debian or an DA issue?
David
David
DNS Spoofing
- Thread starter MadHag
- Start date
MadHag
Verified User
So it's likely to be the people who I use for DNS. I don't fully understand it to be honest.
David
David
floyd
Verified User
- Joined
- Mar 29, 2005
- Messages
- 6,273
When you are browsing the web each site you go to has to be resolved to an ip address. This is usually done by your isp. If your isp is running a vulnerable server then its cache could become poisoned and redirect you to another server that has been made to look like the one you really want to go to.
Most hosts are only serving dns for sites they hosts and so are not affected by this problem.
Maybe you want to login to your paypal account and so you go to paypal.com but because your isp's dns cache has been poisoned you are not really going to paypal you are going to a paypal phishing site.
Most hosts are only serving dns for sites they hosts and so are not affected by this problem.
MadHag
Verified User
Ok, thanks, it's just that that was a result from a scan on MY server.
David
David
tsiou
Verified User
You can take a look at :
http://www.cert.org/archive/pdf/dns.pdf
You can add to your named.conf (options area):
allow-transfer { none; }; (if your name servers reside in one server, or change none to your trusted other ns ips)
And to avoid DNS cache poisoning add
allow-recursion { localnets; localhost;}; (or add the others ns if not in the same network)
Be sure also to have the latest version of bind.
http://www.cert.org/archive/pdf/dns.pdf
You can add to your named.conf (options area):
allow-transfer { none; }; (if your name servers reside in one server, or change none to your trusted other ns ips)
And to avoid DNS cache poisoning add
allow-recursion { localnets; localhost;}; (or add the others ns if not in the same network)
Be sure also to have the latest version of bind.
nobaloney
NoBaloney Internet Svcs - In Memoriam †
You really shouldn't be using your authoritative DNS server for resolution of outside domains. You should turn recursion off; see the immediately preceeding post.
However if you do that make sure you've got at least two valid recursive servers listed in your /etc/resolv.conf file.
Jeff
MadHag
Verified User
Thanks for that, I entered both lines into named.conf and I no longer get the high alert warning in Nessus.
Just a clamav warning to sort out now and I will be happy.
David
Just a clamav warning to sort out now and I will be happy.
David
MadHag
Verified User
Named stopped.
Actually, not quite out of the woods. Named is showing as stopped in DA system monitor and it will not start. Yet all my sites are still up.
Any ideas what is going on?
David
Actually, not quite out of the woods. Named is showing as stopped in DA system monitor and it will not start. Yet all my sites are still up.
Any ideas what is going on?
David
They can't help you without any logs. Please give us some logs of named why its crashed.
nobaloney
NoBaloney Internet Svcs - In Memoriam †
What do you mean by they, daveyw? 
Personally I neither want, nor even read, huge log snippets.
MadHag, you've probably made an error in one or both of those lines.
Your /var/log/messages file will contain any errors that named is encountering which will shut it down on startup. You can simply tail the log while restarting BIND.
If you don't understand the errors post them. But not the entire logs unless daveyw intends to help you with them.
Jeff
Personally I neither want, nor even read, huge log snippets.MadHag, you've probably made an error in one or both of those lines.
Your /var/log/messages file will contain any errors that named is encountering which will shut it down on startup. You can simply tail the log while restarting BIND.
If you don't understand the errors post them. But not the entire logs unless daveyw intends to help you with them.
Jeff