≡ Menu

BIND Dns

DNS server can be attacked using various techniques such as

[a] DNS spoofing

[b] Cache poisoning

[c] Registration hijacking

One of the simplest ways to defend is limit zone transfers between nameservers by defining ACL. I see many admin allows BIND to transfer zones in bulk outside their network or organization. There is no need to do this. Remember you don't have to make an attacker's life easier.

How to restrict zone trasfer with IP address?

You need to define ACL in /etc/named.conf file. Let us say IP 192.168.191.10 and 25.111.24.6 are allowed to transfer your zones.
# vi named.conf
Here is sample entery for domain nixcraft.com (ns1 configuration):

acl trusted-servers  {
        192.168.191.10;  //ns2
        25.111.24.6;   //ns3
};
zone nixcraft.com  {
        type master;
        file "zones/nixcraft.com";
        allow-transfer { trusted-servers; };
};

Next add zone nixcraft.com. Please note that you must use set of hosts later in each zone's configuration block i.e. put line allow-transfer { trusted-servers; }; for each zone / domain name. Restart named:
# /etc/init.d/named restart

How do I test zone transfers restrictions are working or not?

Use any UNIX dns tool command such as nslookup, host or dig. For example, following example uses host command to request zone transfer:
$ host -T axfr nixcraft.com
Output:

;; Connection to 74.86.49.133#53(74.86.49.133) for axfr failed: connection refused.

Transaction signatures (TSIG)

Another recommend option is to use transaction signatures (TSIG) to authorize zone transfers. This makes more difficult to spoof IP addresses.

You can use a tool called named- checkconf to check BIND dns server (named daemon) configuration file syntax under Linux / UNIX. It checks the syntax, but not the semantics, of a named configuration file i.e. it can check for syntax errors or typographical errors but cannot check for wrong MX / A address assigned by you. Nevertheless, this is an excllent tool for troubleshooting DNS server related problems.

How do I check my bind configuration for errors?

Simply run command as follows:
# named-checkconf /etc/named.conf
You may want to chroot to directory so that include directives in the configuration file are processed as if run by a similarly chrooted named:
# named-checkconf -t /var/named/chroot /etc/named.conf
If there is no output, the configuration is considered correct and you can safely restart or reload bind configuration file. If there is an error it will be displayed on screen:
# named-checkconf /etc/named.conf
Output:

/etc/named.conf:58: open: /etc/named.root.hints: file not found

Related tool: BIND-DNS server zone file validity checking tool

The domain name service provided by BIND (named) software. It uses both UDP and TCP protocol and listen on port 53. DNS queries less than 512 bytes are transferred using UDP protocol and large queries are handled by TCP protocol such as zone transfer.

i) named/bind server – TCP/UDP port 53

ii)Client (browser, dig etc) – port > 1023

Allow outgoing DNS client request:

Following iptables rules can be added to your shell script.

SERVER_IP is your server ip address

DNS_SERVER stores the nameserver (DNS) IP address provided by ISP or your own name servers.

Following rules are useful when you run single web/smtp server or even DSL/LL/dialup Internet connections:

SERVER_IP="202.54.10.20"
DNS_SERVER="202.54.1.5 202.54.1.6"
for ip in $DNS_SERVER
do
iptables -A OUTPUT -p udp -s $SERVER_IP --sport 1024:65535 -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s $ip --sport 53 -d $SERVER_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT-p tcp -s $SERVER_IP --sport 1024:65535 -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s $ip --sport 53 -d $SERVER_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
done

(B) Allow incoming DNS request at port 53:

Use following rules only if you are protecting dedicated DNS server.

SERVER_IP is IP address where BIND(named) is listing on port 53 for incoming DNS queries.

Please note that here I'm not allowing TCP protocol as I don't have secondary DNS server to do zone transfer.

SERVER_IP="202.54.10.20"
iptables -A INPUT -p udp -s 0/0 --sport 1024:65535 -d $SERVER_IP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s $SERVER_IP --sport 53 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 0/0 --sport 53 -d $SERVER_IP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s $SERVER_IP --sport 53 -d 0/0 --dport 53 -m state --state ESTABLISHED -j ACCEPT

Please note if you have secondary server, add following rules to above rules so that secondary server can do zone transfer from primary DNS server:

DNS2_IP="202.54.10.2"
iptables -A INPUT -p tcp -s $DNS2_IP --sport 1024:65535 -d $SERVER_IP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 53 -d $DNS2_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

BIND is the Berkeley Internet Name Domain, DNS server. It is wildly used on UNIX and Linux like oses. You can use following tools to troubleshoot bind related problems under UNIX or Linux oses.

Task: Port 53 open and listing requests

By default BIND listen DNS queries on port 53. So make sure port 53 is open and listing user requests. by running any one of the following tests. See if you can telnet to port 53 from remote computer:
$ telnet remote-server-ip 53
OR
telnet ns1.nixcraft.org domain
Output:

Trying 192.168.0.5...
Connected to ns1.nixcraft.org.
Escape character is '^]'.

If you cannot connect make sure firewall is not blocking your requests. Next use netstat command to list open and listing port 53 on server itself:
$ netstat -tulpn | grep :53
OR
# netstat -atve
Output:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode
tcp        0      0 ns1.nixcraft.org:domain *:*                     LISTEN      named      10386
tcp        0      0 rhx.test.com:domain     *:*                     LISTEN      named      10384
tcp        0      0 *:ssh                   *:*                     LISTEN      root       1785
tcp        0      0 rhx.test.com:rndc       *:*                     LISTEN      named      10388
tcp        0      0 rhx.test.com:smtp       *:*                     LISTEN      root       1873
tcp        0      0 ns1.nixcraft.org:ssh    w2k.nixcraft.org:1057   ESTABLISHED root       10501
tcp        0      0 rhx.test.com:32773      rhx.test.com:domain     TIME_WAIT   root       0
tcp        0      0 ns1.nixcraft.org:32775  ns1.nixcraft.org:domain TIME_WAIT   root       0
tcp        0      0 rhx.test.com:32774      rhx.test.com:domain     TIME_WAIT   root       0

Make sure iptables firewall is not blocking request on server:
# iptables -L -n
OR
# iptables -L -n | less
Make sure named is running:
# /etc/init.d/named status
If not start named:
# chkconfig named on
# service named start

Task: Use log files

You can use log files after starting/restarting bind to see error messages:
# tail –f /var/log/message
Output:

Nov 17 16:50:25 rhx named[3539]: listening on IPv4 interface lo, 127.0.0.1#53
Nov 17 16:50:25 rhx named[3539]: listening on IPv4 interface eth0, 192.168.0.5#53
Nov 17 16:50:25 rhx named[3539]: command channel listening on 127.0.0.1#953
Nov 17 16:50:25 rhx named[3539]: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
Nov 17 16:50:25 rhx named[3539]: nixcraft.org.rev:1: no TTL specified; using SOA MINTTL instead
Nov 17 16:50:25 rhx named[3539]: zone 0.168.192.in-addr.arpa/IN: loaded serial 12
Nov 17 16:50:25 rhx named[3539]: zone localhost/IN: loaded serial 42
Nov 17 16:50:25 rhx named[3539]: zone nixcraft.org/IN: loaded serial 12
Nov 17 16:50:25 rhx named[3539]: running

Task: Check zone file for errors

You can check zone file syntax and /etc/named.conf file using following utilities. named-checkconf command is named (BIND) configuration file syntax checking tool.
# named-checkconf /etc/named.conf
Output:

/etc/named.conf:32: missing ';' before 'zone'

Plesse note that if named-checkconf did not find any errors it will not display in output on screen.

Check zone file syntax for errors. named-checkzone is zone file validity checking tool. named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a zone. This makes named checkzone useful for checking zone files before configuring them into a name server.
# named-checkzone localhost /var/named/localhost.zone
OR
#named-checkzone nixcraft.org /var/named/nixcraft.org.zone
Output:

zone nixcraft.org/IN: loaded serial 12
OK

Task: Testing BIND/DNS with utilities

You can use host and dig utilties to test your bind configuration.

  • host: host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa.
  • dig: dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administrators use dig to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality than dig.

List IP address associated with host names:
# host nixcraft.org
OR
# host www
Output:

www.nixcraft.org has address 192.168.0.6

Perform a zone transfer for zone name using -l option:
# host -l nixcraft.org

nixcraft.org SOA ns1.nixcraft.org. admin.nixcraft.org. 12 10800 900 604800 86400
nixcraft.org name server ns1.nixcraft.org.
nixcraft.org mail is handled by 10 mail.nixcraft.org.
nixcraft.org has address 192.168.0.5
gw.nixcraft.org has address 192.168.0.254
mail.nixcraft.org has address 192.168.0.7
ns1.nixcraft.org has address 192.168.0.5
w2k.nixcraft.org has address 192.168.0.1
www.nixcraft.org has address 192.168.0.6
nixcraft.org SOA ns1.nixcraft.org. admin.nixcraft.org. 12 10800 900 604800 86400

Other examples
# dig mail.nixcraft.org
# dig 192.168.0.5