Re: Forwarding to two servers

2010-08-09 Thread CLOSE Dave (DAE) 
Based on suggestions here, I now have a named.conf file like this:

   options { ... };
   logging { ... };
   zone "." IN { type forward; forwarders { PUB; }; forward only; };
   zone "HOST1" { type forward; forwarders { PRIV; }; };
   zone "HOST2" { type forward; forwarders { PRIV; }; };
   # PUB and PRIV are actually IP addresses, both on the LAN (not WAN)

I think this means that simple queries for HOST1 or HOST2 (without a 
domain) will be forwarded to PRIV while all other queries will be 
forwarded to PUB. Queries forwarded to PUB will be tried with and 
without the domain search arguments from resolv.conf. Queries to PRIV 
either won't try the search domains or, since they will fail, will 
eventually try without them. If so, that is exactly what I want.

And it seems to work correctly on Fedora 13 with BIND 9.7. Does anyone 
see a hidden gotcha that will bite me later (other than the need to 
maintain the list of HOST*)?
-- 
Dave Close

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

My ISP's private address space has dns entries available on the public net , is this right ?

2010-08-09 Thread donovan jeffrey j 
Greetings

my isp has some private address space which has dns resolution and can be 
queried from the outside world.

I asked them about this because we use this private address space and it is 
showing up in our DNS lookups. here was there response;

>I've discussed this with our systems administrators and have been told 
> that this is performing as expected.  ISP DNS servers do contain information 
> about private adresses that are in use on our network.  If you are utilizing 
> our DNS servers, you will see resolution of private IPs to ISP hostnames when 
> appropriate.  That will not occur using external DNS servers.  You will see 
> resolution of PTD hostnames to private IPs from external servers, but not IP 
> resolution to hostnames.  As long as reverse DNS (IP to hostname) is not 
> propogating, things are functioning normally.

so even from google public dns i see lookups that refer back to a private 
address space on my ISP's net.

is that right ?
-j
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Protecting bind from DNS cache poisoning!!!

2010-08-09 Thread Tony Finch 
On Mon, 9 Aug 2010, Shiva Raman wrote:
>
>  I tried implementing dnssec using the following document
> http://blog.dustintrammell.com/2008/08/01/configuring-dnssec-in-bind/

That is rather out of date: it does not cover some important BIND-9.7
DNSSEC validation features, specifically RFC 5011 automatic trust anchor
rollover, and it does not explain how to install the root trust anchor.
Also you do not need to explicitly turn on DNSSEC validation: it is on by
default but only works if you have configured one or more trust anchors.

Here is my recent how-to: http://fanf.livejournal.com/107310.html

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
NORTH FITZROY SOLE: WEST OR SOUTHWEST, BECOMING CYCLONIC IN SOLE, 4 OR 5,
INCREASING 5 TO 7. MODERATE OR ROUGH. RAIN. MODERATE OR GOOD, OCCASIONALLY
POOR.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Protecting bind from DNS cache poisoning!!!

2010-08-09 Thread Matus UHLAR - fantomas 
 Allow bind to use as wide a range of port numbers as possible for UDP
 traffic.
>>
>> On 09.08.10 17:14, Shiva Raman wrote:
>>> Yes this is allowed in the firewall.
>>
>> note that bind also should not have "port" potion in query-source statement.

On 09.08.10 14:08, Wolfgang Solfrank wrote:
> In addition, be carefull with the use of NAT on your firewall.  This will
> probably unrandomize the port numbers on your outgoing requests.

this was mentioned in previous e-mail, I added that the BIND should also be
properly configured  ;-)

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
If Barbie is so popular, why do you have to buy her friends? 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Protecting bind from DNS cache poisoning!!!

2010-08-09 Thread Torsten 
Am Mon, 09 Aug 2010 14:08:26 +0200
schrieb Wolfgang Solfrank :

> >>> Allow bind to use as wide a range of port numbers as possible for
> >>> UDP traffic.
> >
> > On 09.08.10 17:14, Shiva Raman wrote:
> >> Yes this is allowed in the firewall.
> >
> > note that bind also should not have "port" potion in query-source
> > statement.
> 
> In addition, be carefull with the use of NAT on your firewall.  This
> will probably unrandomize the port numbers on your outgoing requests.
> 
> Ciao,
> Wolfgang


Port deviation could easily be tested via porttest.dns-oarc.net

dig +short @127.0.0.1 porttest.dns-oarc.net txt
porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"195.180.9.198 is GREAT: 53 queries in 9.1 seconds from 53 ports with
std dev 19687"


Every result other than "GREAT" should alert you.


Also, checking wether DNSSEC is working or not, send a recursing querie
to your resolver and check the returned flags for ad.


[t...@daddelkiste ~]$ dig +dnssec @127.0.0.1 iis.se a

; <<>> DiG 9.6.2-P2-RedHat-9.6.2-5.P2.fc12 <<>> +dnssec @127.0.0.1
iis.se a ; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12422
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;iis.se.IN  A

;; ANSWER SECTION:
iis.se. 21  IN  A
212.247.7.218 iis.se.   21  IN
RRSIG   A 5 2 60 20100815115001 20100805115001 53249 iis.se.
pWMYsqufhD4RkHX6IltLOcxMob3rNpc1+UnXZKgOMsO5HgbtIjALoq9+
ReqKziKev3PiEBLNdqrxT95TVlzVb7qgnLmlHABsap7m2uzuHFQKsFmh
RGxqpiuzu9bPEIfZKout4TmzILaP1Nua4ntSXyyjS35EUszfX+F/Mqrm fcc=

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug  9 14:35:37 2010
;; MSG SIZE  rcvd: 217



Ciao
Torsten
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Protecting bind from DNS cache poisoning!!!

2010-08-09 Thread Wolfgang Solfrank 

Allow bind to use as wide a range of port numbers as possible for UDP
traffic.


On 09.08.10 17:14, Shiva Raman wrote:

Yes this is allowed in the firewall.


note that bind also should not have "port" potion in query-source statement.


In addition, be carefull with the use of NAT on your firewall.  This will
probably unrandomize the port numbers on your outgoing requests.

Ciao,
Wolfgang
--
wolfg...@solfrank.net   Wolfgang Solfrank
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Protecting bind from DNS cache poisoning!!!

2010-08-09 Thread Matus UHLAR - fantomas 
> >Allow bind to use as wide a range of port numbers as possible for UDP
> >traffic.

On 09.08.10 17:14, Shiva Raman wrote:
> Yes this is allowed in the firewall.

note that bind also should not have "port" potion in query-source statement.

> > Make sure your firewalls don't do daft things like forcing any DNS
> >traffic to come from a limited range of source ports, or blocking large
> >UDP packets or EDNS.  Allow DNS queries over TCP as well as UDP.

>  Yes in firewall , both TCP and UDP DNS queries are allowed.

allowed is one part, not to have broken firewalls that inspect (and break)
DNS packets is another one. 

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I drive way too fast to worry about cholesterol. 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Protecting bind from DNS cache poisoning!!!

2010-08-09 Thread Shiva Raman 
Hi
Thanks for your valuable suggestions

>Run an up-to-date version of bind.  Be fanatical about applying security
>patches promptly.

Yes , i am running the latest version Bind-9.7.1-P2.

>Don't allow recursion /at all/ for queries from the general public to
>your authoritative servers, nor permit authoritative servers to send
>additional data from cache.

I am running separate caching and authoritative servers. As suggested
by you, i had disabled recursion to for the authoritative servers.


>Permit only your trusted clients to make recursive queries through your
>recursive servers.

Yes, in caching servers, i have only enabled recursion for our trusted
clients.


>If you have sufficient DNS traffic to warrant it, it is very good to run
>completely separate instances of bind as authoritative and recursive
>servers -- use of virtualization techniques like FreeBSD jails can help
>reduce hardware costs.

Yes, i am running separate instances of authoritative and recursive servers.


>Allow bind to use as wide a range of port numbers as possible for UDP
>traffic.

Yes this is allowed in the firewall.

> Make sure your firewalls don't do daft things like forcing any DNS
>traffic to come from a limited range of source ports, or blocking large
>UDP packets or EDNS.  Allow DNS queries over TCP as well as UDP.

 Yes in firewall , both TCP and UDP DNS queries are allowed.

>  Implement DNSSEC.

 I tried implementing dnssec using the following document
http://blog.dustintrammell.com/2008/08/01/configuring-dnssec-in-bind/

After modifying named.conf for recursive server, i restarted named.

Now named is working with dnssec enabled .But i am not able to verify the
same.

Kindly let me know how can we verify that dnssec is enabled and running ,
from the logs.

Thanks in advance.

Shiva Raman
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users