How To Patch BIND9 Against DNS Cache Poisoning On Debian Etch
1 Checking If BIND Is Vulnerable
Run the following command against your nameserver to find out if it is vulnerable (replace ns1.example.com with your own nameserver address):
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"1.2.3.4 is POOR: 26 queries in 4.4 seconds from 1 ports with std dev 0.00"
mh1:~#
POOR indicates that BIND is vulnerable. In this case you must patch BIND.
If you don’t get any answer at all, this means that your DNS server is no recursive resolver which means it doesn’t answer queries for domains that it isn’t authoritative for. In this case you’re not vulnerable to cache poisoning, but still I strongly advise to update BIND!
2 Patching BIND
This is not so much a patch, but an update. Simply run
This will install the updated BIND packages from the Debian repositories.
Afterwards open /etc/bind/named.conf and modify the options section. If you don’t need a recursive resolver (i.e., if your nameserver should answer only queries for domains that it is responsible for), add allow-recursion { none; };. That way you turn off caching for other domains. The second line you should add is dnssec-enable yes; – this makes that BIND answers queries on random ports which are harder to guess for hackers (remember the answer to our dig command in chapter 1: [...]26 queries in 4.4 seconds from 1 ports[...] – BIND was answering on only one port…).
没有评论▼