Never Ending Security

It starts all here

Tag Archives: Name Server

DNS Security – Securing A Name Server

Securing a name server

What version of BIND for your server?

Lately, a lot of implementation errors (tsig, infoleak …) were discovered in BIND. The details of these issues is available on . So right now, you need to install version 8.2.3 or version 9.1. BIND 9 implements DNSSEC signed zones and TSIG to sign DNS queries, it should resolve forward the various issues related to DNS spoofing. Another major new feature is the support for IPV6 and new protocols (IXFR, DDNS, Notify, EDNSO). The TSIG support is available from Bind 8.2.

If you are wondering if BIND is able to withstand heavy load, the server using bind 8.2.3 responds to over 272 million DNS queries per day.


You can either use pre-compiled packages that compile bind yourself from source. These are available on . If you use RedHat packages, you need to install bind, bind-utils and bind-devel if you program.


The bind configuration file is usually /etc/named.conf. A few quick words on the configuration:

  • Comments are rated / * * / or // as in C or begin with a “;”
  • SOA Start Of Autority
  • NS: Name Server
  • MX: Mail eXchange
  • CNAME: alias name
  • Machine names must end with a period.

The file is divided into sections: options, logging and area. I will not dwell on the subject, I hope you know enough foundation needed to run Bind.

Paranoid default

Take the advantage of being paranoid, block everything by default.

 options {
   also-notify {none;  };
   allow-transfer {none;  };
   allow-query {none;  };

also-notify should contain unofficial secondary DNS, it helps prevent immediately if an update of an area is performed. allow-transfer indicates which machines allowed to perform a zone transfer, ie to retrieve all the information from one area, the only secondary DNS should be allowed. allow-query indicates who can query the server for a given area.

ACLs (access control lists) are used to define sets of machines and / or networks. ACLs are four pre-defined: any, none, localhost and localnets. They correspond to everyone, person, only the server and all the networks defined by the IP addresses and netmasks of the machine.

An ACL is defined as follows:

 acl name {

For example, I can set the acl dns_sec_non_officiel with two IP addresses as follows:

 {acl dns_sec_non_officiel;;

Definitions of areas and use of ACL

For a list of the primary DNS, simply run the command dig . ns > dig . ns > . They solve ip addresses / names for which the DNS server is neither primary nor secondary.

The area for default queries is the zone “.” defined below:

 zone "."  {
   Type hint;
   file "";
   allow-query {mon_parc_info;  };

mon_parc_info is an acl containing IPs machines on my network.

In some cases of network architecture or for safety reasons, an internal DNS one may want to force the use of one specific DNS server to respond to DNS queries. In this case, we will define it this constraint the options:

 options {
     forward only;
     {mes_dns_en_sortie forwarders;  };

Another note, if your machine uses the “dial on demand” or connection with the application (modem connection is activated if there is the Internet to requests), add the options dialup yes; to prevent your connection either start inadvertently.

A reverse lookup zone IP address to hostname to the loopback address is defined as

 "" {area
   master kind;
   allow-query {mon_parc_info;  };
   "named.local" file;

A primary server must be interviewed by everyone but allow only secondary dns to perform zone transfers. Zone transfer is as its name suggests the means by which a DNS recovers all the parameters of an area.

 "" {area
   master kind;
   file "domain1 /";
   also_notify {dns_sec_non_officiel;  };
   allow-transfer {dns_sec_officiel;  dns_sec_non_officiel;  };
   allow-query {any;  };

DNS indicated in the parameter Also_notify are notified whenever a change occurs in a zone. It is used specifically to warn unofficial secondary DNS, ie those that are not explicitly declared as NS in the file defining the area.

Some services offered by ISPs are only accessible by using their DNS. Thus, to access the news or read his email through webmail interface Wanadoo, use the specified DNS on the sheet showing the login / password or given by the DHCP server.

 zone ""
   such forward;
   forwarders {;  };

Note: Wanadoo filter IP accessing DNS, web servers, … reserved for subscribers.

Hide the version number

The version number is easily obtained:

 $ Nslookup -
 Default Server: localhost

 > Set class = chaos
 > Set q = txt
 > Version.bind
 Server: localhost

 Version.bind text = "8.2.3-REL"

One possibility is to set the text to send. In the column options, just specify Version “my super text.” But it has the disadvantage of hide it to everybody. We can tweak it a bit more by redefining the zone ” chaos

 zone "bind" chaos {
   master kind;
   file "bind";
   allow-query {localhost;  };

In the file bind , I define the class chaos .

 $ TTL 1D
 $ ORIGIN bind.
 @ 1D CHAOS SOA localhost.  root.localhost.  (
 CHAOS NS localhost. 

So when a small malignant seeking the version of bind, the attempt will be recorded:

 March 12 5:51:12 p.m. vectra named [17035]: unapproved query from [] .4863 for "version.bind"

And we can continue to retrieve the version number locally unless we are even more paranoid and that it puts allow-query { none; }; allow-query { none; }; .


Ports lower than 1024 are privileged ports, programs running that is to say that only as root can use them. The port dedicated to DNS servers is the TCP / UDP port 53 (domains).

A safety mechanism is incorporated in modern versions of bind that allow it once it is assigned the domains port to impersonate a user without power, usually named. Thus, in case of security vulnerability, the attacker takes the named identity, not root.

However, the hacker now has access to the machine, where it is able to exploit local faults. The idea is to confine him to a part of the tree, for example, the directory /var/chroot-named where you can find the necessary files to bind.

Creation of the prison

To create the prison, he must first be root.

   $ Mkdir / var / chroot-named
   $ Mkdir / var / chroot-named / dev
   $ Mkdir / var / chroot-named / etc
   $ Mkdir / var / chroot-named / var
   $ Mkdir / var / chroot-named / var / run
   $ Mkdir / var / chroot-named / usr
   $ Mkdir / var / chroot-named / usr / sbin
   $ Mknod / var / chroot-named / dev / null c 1 March
Account creation
   $ Adduser named -s / bin / false
   $ Egrep "(^ root: | ^ named :)" / etc / passwd> / var / chroot-named / etc / passwd
   $ Egrep "(^ root: | ^ named :)" / etc / group> / var / chroot-named / etc / group
Configuring the system log

If syslogd supports the “-a” option, it must be started with in /etc/rc.d/init.d/syslog :

 daemon syslogd -m 0 -a / var / chroot-named / dev / log

Otherwise, it is then necessary login directly:

   $ Mkdir / var / chroot-named / var / log
   $ Ln -s / var / chroot-named / var / log / var / log / dns

In named.conf :

 logging {
   channel replace_syslog {
     file "/ var / log / dns" versions 3 size 100k;
     severity info;
     print-category yes;
     print-severity yes;
     print-time yes;
   category default {replace_syslog;  default_debug;  };

Log files are owned by root.

Recovering the configuration
   /etc/named.conf $ Mv / var / chroot-named / etc
   $ Mv / var / named / var / chroot-named / var
   $ Ln -s /var/chroot-named/etc/named.conf /etc/named.conf
   $ Ln -s / var / chroot-named / var / named / var / named
   $ Chown -R named: named / var / chroot-named / var / named

By the way, do not forget that bind must write in the directories for slave zones, do not forget to create these directories and change the ownernamed . Otherwise, it will not recover the areas which it is secondary.

Installing binaries

Is compiling named and named-xfer statically or using existing binary and copy the necessary dynamic libraries:

   $ Cp / usr / sbin / named / var / chroot-named / usr / sbin
   $ Cp / usr / sbin / named-xfer / var / chroot-named / usr / sbin
   $ Mkdir / var / chroot-named / lib
   $ Mkdir / var / chroot-named / usr / lib
   $ Ldd / usr / sbin / named-xfer
  => /lib/ (0x40022000)
           /lib/ => /lib/ (0x40000000)

The latter command shows all the libraries that bind needs to function: each one must also be present in the prison.


In /etc/rc.d/init.d/named (here delete the daemon if you do not have a RedHat) notes the daemon in a prison:

 daemon named -u named -t / var / chroot-named

The “-u” refers to the user that bind and run the “-t” the directory in which it is running, his prison.

For choosy

The TSIG security reduces the impact of IP spoofing between the primary and secondary DNS. They share a secret key whose name is secret, grenier-supersecret in the example. The key is encoded in base 64 and is defined as in the configuration files of the affected servers:

 key-supersecret attic.  {
   algorithm hmac-md5;
   secret "mZiMNOUYQPMNwsDzrX2ENw ==";

In the master DNS configuration is added:

 ip_dns_secondaire server {
   transfer-format many-answers;
   {keys attic-supersecret .;  };

and secondary DNS, we put the same thing but with the IP address of the primary DNS server.

To function, the system clocks of the two servers must be synchronized. If necessary, you can synchronize them xntp. Confidentiality key is related to the security of the server more vulnerable.


With the addition of cryptography, DNS protocols are more reliable and system security mechanisms as chrooting are always there to counter the implementation issues =:-) (Bug TSIG).