From owner-freebsd-security  Tue Jan 30 15:34:51 2001
Delivered-To: freebsd-security@freebsd.org
Received: from cowpie.acm.vt.edu (cowpie.acm.vt.edu [128.173.42.253])
	by hub.freebsd.org (Postfix) with ESMTP id 73F8037B6D7
	for <freebsd-security@freebsd.org>; Tue, 30 Jan 2001 15:34:33 -0800 (PST)
Received: (from dlacroix@localhost)
	by cowpie.acm.vt.edu (8.9.3/8.9.3) id SAA12914;
	Tue, 30 Jan 2001 18:32:42 -0500 (EST)
From: David La Croix <dlacroix@cowpie.acm.vt.edu>
Message-Id: <200101302332.SAA12914@cowpie.acm.vt.edu>
Subject: Re: Bind: unapproved query (version.bind) Script kiddies?
In-Reply-To: <3A7745E9.ABA027AD@ursine.com> from Michael Bryan at "Jan 30, 1 02:53:29 pm"
To: fbsd-secure@ursine.com (Michael Bryan)
Date: Tue, 30 Jan 2001 17:32:42 -0600 (CST)
Cc: freebsd-security@freebsd.org
X-Mailer: ELM [version 2.4ME+ PL38 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> Almost certainly script kiddies looking to find vulnerable versions of BIND.
> It might be related to the pre-8.2.3 bugs, or it might be earlier bugs that
> they're looking for.  Certainly anything before a week or two ago is most likely
> somebody looking for one of the earlier bugs.
> 
> Out of curiousity, what do you have setup in named.conf (or elsewhere) to block
> queries for version.bind?

It's not so much blocking queries to version.bind, so much as refusing to 
answer queries to an untrusted host, about domains it does not host.

 
options {
        directory "/etc/namedb";
        allow-query { 
                127.0.0.1;
                localnets; 
        };
        allow-transfer { 
		0.0.0.0;  /* IPs changed */
		0.0.0.0;  /* secondary DNS servers */
        };
        forwarders {
               0.0.0.0; 0.0.0.0;
        };
};

and then further down all my zone definitions look like:

zone "mydomain.com" {
        type master;
        file "zones/mydomain.com";
        allow-query { any; };
};


Basically:  refuse queries for any domains I'm not master or slave for,
and only allow domain transfers to the known/trusted secondary 
nameservers for my domains.  (as far as you can trust based on IP address)

I'm sure others have even more restrictive setups that work. (require 
keys to do zone transfers, listen on only one IP address, etc)



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message