I’ve three nameserver load-balanced (LB) in three geo locations. Each LB has a front end public IP address and two backend IP address (one for BIND and another for zone transfer) are assigned to actual bind 9 server running Linux. So when a zone transfer initiates from slave server, all I get errors. A connection cannot be established, it tries again with the servers main ip or LB2 / LB3 ip. This is a problem because my servers are geo located and load balanced. However, there is a small workaround for this problem.
Red Hat has shipped a new version of its dnsmasq caching software to plug source UDP port bug. This could have made DNS spoofing attacks (CVE-2008-1447) easier. Dnsmasq is lightweight ultra fast dns cache server forwarder and DHCP server. It is designed to provide DNS and, optionally, DHCP, to a small network.
Explains how to use Windows nslookup command to verify your own or ISP recursive DNS resolvers are free from DNS cache poisoning bug.
Dan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS cache poisoning attacks. Among other things, successful attacks can lead to misdirected web traffic and email rerouting.
The BIND DNS implementation does not randomize the UDP source port when doing remote queries, and the query id alone does not provide adequate randomization.
An updated caching-nameserver package that fixes a bug is now available for RHEL AS 4.x / CentOS 4.x Linux server.
DNS server can be attacked using various techniques such as
[a] DNS spoofing
[b] Cache poisoning
[c] Registration hijacking
One of the simplest ways to defend is limit zone transfers between nameservers by defining ACL. I see many admin allows BIND to transfer zones in bulk outside their network or organization. There is no need to [...]
