DNS Cache Poison Patch
From SysadminPunk Wiki!
Contents |
Check If BIND Is Vulnerable
- Run the following command against your nameserver to find out if it is vulnerable (replace ns1.example.com with your own nameserver address):
dig +short @ns1.example.com porttest.dns-oarc.net TXT
bind:~# dig +short @ns1.example.com porttest.dns-oarc.net TXT z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net. "1.2.3.4 is POOR: 26 queries in 4.4 seconds from 1 ports with std dev 0.00" bind:~#
- POOR indicates that BIND is vulnerable. In this case you must patch BIND.
- If you don't get any answer at all, this means that your DNS server is no recursive resolver which means it doesn't answer queries for domains that it isn't authoritative for. In this case you're not vulnerable to cache poisoning, but still I strongly advise to update BIND!
Patching BIND
- This is not so much a patch, but an update. Simply run
apt-get install bind9 bind9-host
- This will install the updated BIND packages from the Debian repositories.
- Edit /etc/bind/named.conf.options from
options {
directory "/var/cache/bind";
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
to
options {
directory "/var/cache/bind";
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
allow-recursion { none; };
dnssec-enable yes;
};
Restart BIND
sudo /etc/init.d/bind9 restart
Check BIND again
dig +short @ns1.auctiva.com porttest.dns-oarc.net TXT
- This should drop you right back to a blank command line.
---Rick Russell 21:55, 13 July 2010 (UTC)
