Re: sorry to ruin several of your evenings...
vince@penguin-power.com ("Vincent Power") writes:
the only thing that I had to do when upgrading between 8.x and 9.x was at add $TTL line to the top of every zone file.
BIND 8.2.3 makes you do that, too.
On 28 Jan 2001, Paul Vixie wrote:
vince@penguin-power.com ("Vincent Power") writes:
the only thing that I had to do when upgrading between 8.x and 9.x was at add $TTL line to the top of every zone file.
BIND 8.2.3 makes you do that, too.
It complains about the absence of $TTL, but it doesn't "make you do it". How many other sites got burned by non-RFC compliant SOA record formats that used to work in every prior bind 8 / bind 4 version? I refuse to believe I'm the only one. I had to write a pair of little perl scripts and a bourne shell script to examine all our zone files and fix the ones that needed fixing. -- ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Oh, the regexes were many and nasty. I was burned back on my personal nameserver a month or so ago on the 9.0.0 release, and fixed it by hand. The 300 or so domains hosted on the work machines.. well, gross regexes. On Mon, Jan 29, 2001 at 11:42:26PM -0500, jlewis@lewis.org wrote:
On 28 Jan 2001, Paul Vixie wrote:
vince@penguin-power.com ("Vincent Power") writes:
the only thing that I had to do when upgrading between 8.x and 9.x was at add $TTL line to the top of every zone file.
BIND 8.2.3 makes you do that, too.
It complains about the absence of $TTL, but it doesn't "make you do it".
How many other sites got burned by non-RFC compliant SOA record formats that used to work in every prior bind 8 / bind 4 version? I refuse to believe I'm the only one. I had to write a pair of little perl scripts and a bourne shell script to examine all our zone files and fix the ones that needed fixing.
-- ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
-- Marius Strom <marius@marius.org> Professional Geek/Unix System Administrator URL: http://www.marius.org/ http://www.marius.org/marius.pgp 0x55DE53E4 "Never underestimate the bandwidth of a mini-van full of DLT tapes traveling down the highway at 65 miles per hour..." -Andrew Tanenbaum, "Computer Networks"
You're bitching that you had to go back and do things the way they should have been done in the first place? Help me understand where you think Paul, or any of the ISC peoples, is at fault? On Mon, Jan 29, 2001 at 11:42:26PM -0500, jlewis@lewis.org wrote:
On 28 Jan 2001, Paul Vixie wrote:
vince@penguin-power.com ("Vincent Power") writes:
the only thing that I had to do when upgrading between 8.x and 9.x was at add $TTL line to the top of every zone file.
BIND 8.2.3 makes you do that, too.
It complains about the absence of $TTL, but it doesn't "make you do it".
How many other sites got burned by non-RFC compliant SOA record formats that used to work in every prior bind 8 / bind 4 version? I refuse to believe I'm the only one. I had to write a pair of little perl scripts and a bourne shell script to examine all our zone files and fix the ones that needed fixing.
-- i am jamie at arpa dot com .. and this is my .sig. core1.dns.microsoft.com# sho access-list 101 Extended IP access list 101 deny udp any any eq domain (874572345872345 matches)
On Tue, 30 Jan 2001, jamie rishaw wrote:
You're bitching that you had to go back and do things the way they should have been done in the first place?
Help me understand where you think Paul, or any of the ISC peoples, is at fault?
Quit reading between the lines. You're not doing very well at it. I didn't post that I was pissed at Paul for breaking bind. He was nice enough to email me back over the weekend to explain the problem and say that basically the fact that the broken zones ever worked was a long standing bug in bind's zone parser. I was just curious how many other people ran into the same problem. Based on the responses I got, I definitely wasn't alone. -- ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On the same topic but not in reply to anyone in particular, I thought this should be mentioned: [root@host bind-9.1.0]# dig @a.bind9.nameserver.com authors.bind chaos txt ; <<>> DiG 8.2 <<>> @a.bind9.nameserver.com authors.bind chaos txt ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 ;; flags: qr aa rd; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 0 ;; QUERY SECTION: ;; authors.bind, type = TXT, class = CHAOS ;; ANSWER SECTION: authors.bind. 0S CHAOS TXT "Michael Sawyer" authors.bind. 0S CHAOS TXT "Brian Wellington" authors.bind. 0S CHAOS TXT "Andreas Gustafsson" authors.bind. 0S CHAOS TXT "Bob Halley" authors.bind. 0S CHAOS TXT "Mark Andrews" authors.bind. 0S CHAOS TXT "James Brister" authors.bind. 0S CHAOS TXT "Michael Graff" authors.bind. 0S CHAOS TXT "David Lawrence" ;; Total query time: 1 msec ;; FROM: host to SERVER: a.bind9.nameserver 192.168.0.1 ;; WHEN: Tue Jan 30 14:00:54 2001 ;; MSG SIZE sent: 30 rcvd: 244 While it's not exactly a problem, it does give away that you're running bind9 (I do like the new 'version' option where you can set the version.bind reply) even if you change the version to appear to be a bind8 server. Matthew S. Hallacy XtraTyme Technologies Systems/Network Administrator
While it's not exactly a problem, it does give away that you're running bind9 (I do like the new 'version' option where you can set the version.bind reply) even if you change the version to appear to be a bind8 server.
"allow-query" lets you control who can see that information: zone "bind" chaos { allow-query { 127.0.0.1 ; xxx.xxx.xxx.xxx/len ; } ; type master; file "filename"; }; Stephen
Why not jus return some 'bogus' version ??? like this option allows: version "bad-ass-bind"; :) --Chris ####################################################### ## UUNET Technologies, Inc. ## ## Manager ## ## Customer Router Security Engineering Team ## ## (W)703-289-8479 (C)703-283-3734 ## ####################################################### On Tue, 30 Jan 2001, Stephen Stuart wrote:
While it's not exactly a problem, it does give away that you're running bind9 (I do like the new 'version' option where you can set the version.bind reply) even if you change the version to appear to be a bind8 server.
"allow-query" lets you control who can see that information:
zone "bind" chaos { allow-query { 127.0.0.1 ; xxx.xxx.xxx.xxx/len ; } ; type master; file "filename"; };
Stephen
On Tue, 30 Jan 2001 15:45:29 EST, "Christopher L. Morrow" said:
Why not jus return some 'bogus' version ??? like this option allows:
If you return a bogus version, they *know* you have something to hide. If you just disallow 'chaos' queries, they don't know for sure, especially if you *also* disallow other queries/etc from other sites. ;) -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
On Tue, Jan 30, 2001 at 03:58:57PM -0500, Valdis.Kletnieks@vt.edu wrote:
If you return a bogus version, they *know* you have something to hide. If you just disallow 'chaos' queries, they don't know for sure, especially if you *also* disallow other queries/etc from other sites. ;)
Hey, just return version 8.6.2, and make 'em waste their time... :-)
lets see... (from previous discussions on the usefullness of tweeking the version) wearing my blackhat, i have to decide which system is worthty of my talents... which one should I pick? version "bad-ass-bind"; -or- version "9.1.0" of course I could be running 4.8.1 and simply recompile so it _reports_ a bogus version but the profile of a 9.1.0 code base is -very- distinct from a 4.8.1 code base... esp on replies to queries. Pick your targets carefully.
Why not jus return some 'bogus' version ??? like this option allows:
version "bad-ass-bind";
:)
--Chris
####################################################### ## UUNET Technologies, Inc. ## ## Manager ## ## Customer Router Security Engineering Team ## ## (W)703-289-8479 (C)703-283-3734 ## #######################################################
On Tue, 30 Jan 2001, Stephen Stuart wrote:
While it's not exactly a problem, it does give away that you're running bind9 (I do like the new 'version' option where you can set the version.bind reply) even if you change the version to appear to be a bind8 server.
"allow-query" lets you control who can see that information:
zone "bind" chaos { allow-query { 127.0.0.1 ; xxx.xxx.xxx.xxx/len ; } ; type master; file "filename"; };
Stephen
attack away... it's a bit harder to figure out what it is... and bind's not exploitable (at least not yet...) so as long as all other things are 'ok' I'm just denying intel to the 'enemy'... besides, tcp queries are verboten anyway :) --Chris On Tue, 30 Jan 2001 bmanning@vacation.karoshi.com wrote:
lets see... (from previous discussions on the usefullness of tweeking the version)
wearing my blackhat, i have to decide which system is worthty of my talents... which one should I pick?
version "bad-ass-bind"; -or- version "9.1.0"
of course I could be running 4.8.1 and simply recompile so it _reports_ a bogus version but the profile of a 9.1.0 code base is -very- distinct from a 4.8.1 code base... esp on replies to queries.
Pick your targets carefully.
Why not jus return some 'bogus' version ??? like this option allows:
version "bad-ass-bind";
:)
--Chris
####################################################### ## UUNET Technologies, Inc. ## ## Manager ## ## Customer Router Security Engineering Team ## ## (W)703-289-8479 (C)703-283-3734 ## #######################################################
On Tue, 30 Jan 2001, Stephen Stuart wrote:
While it's not exactly a problem, it does give away that you're running bind9 (I do like the new 'version' option where you can set the version.bind reply) even if you change the version to appear to be a bind8 server.
"allow-query" lets you control who can see that information:
zone "bind" chaos { allow-query { 127.0.0.1 ; xxx.xxx.xxx.xxx/len ; } ; type master; file "filename"; };
Stephen
The key here is that if you're going to spend time faking the real response of a query that time may be best spent fixing the real problem. People who will now complain about the number of machines they need to upgrade, etc.. should now evaluate the costs of running an internet connected network. If these costs or risks are too high for you perhaps you need to evaluate your internet connection policies. - Jared On Tue, Jan 30, 2001 at 09:32:24PM +0000, bmanning@vacation.karoshi.com wrote:
lets see... (from previous discussions on the usefullness of tweeking the version)
wearing my blackhat, i have to decide which system is worthty of my talents... which one should I pick?
version "bad-ass-bind"; -or- version "9.1.0"
of course I could be running 4.8.1 and simply recompile so it _reports_ a bogus version but the profile of a 9.1.0 code base is -very- distinct from a 4.8.1 code base... esp on replies to queries.
Pick your targets carefully.
Why not jus return some 'bogus' version ??? like this option allows:
version "bad-ass-bind";
:)
--Chris
####################################################### ## UUNET Technologies, Inc. ## ## Manager ## ## Customer Router Security Engineering Team ## ## (W)703-289-8479 (C)703-283-3734 ## #######################################################
On Tue, 30 Jan 2001, Stephen Stuart wrote:
While it's not exactly a problem, it does give away that you're running bind9 (I do like the new 'version' option where you can set the version.bind reply) even if you change the version to appear to be a bind8 server.
"allow-query" lets you control who can see that information:
zone "bind" chaos { allow-query { 127.0.0.1 ; xxx.xxx.xxx.xxx/len ; } ; type master; file "filename"; };
Stephen
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. END OF LINE | Manager of IP networks built within my own home
I didn't say I didn't upgrade :) I just said why give out info you don't need to give out. --Chris On Tue, 30 Jan 2001, Jared Mauch wrote:
The key here is that if you're going to spend time faking the real response of a query that time may be best spent fixing the real problem.
People who will now complain about the number of machines they need to upgrade, etc.. should now evaluate the costs of running an internet connected network. If these costs or risks are too high for you perhaps you need to evaluate your internet connection policies.
- Jared
On Tue, Jan 30, 2001 at 09:32:24PM +0000, bmanning@vacation.karoshi.com wrote:
lets see... (from previous discussions on the usefullness of tweeking the version)
wearing my blackhat, i have to decide which system is worthty of my talents... which one should I pick?
version "bad-ass-bind"; -or- version "9.1.0"
of course I could be running 4.8.1 and simply recompile so it _reports_ a bogus version but the profile of a 9.1.0 code base is -very- distinct from a 4.8.1 code base... esp on replies to queries.
Pick your targets carefully.
Why not jus return some 'bogus' version ??? like this option allows:
version "bad-ass-bind";
:)
--Chris
####################################################### ## UUNET Technologies, Inc. ## ## Manager ## ## Customer Router Security Engineering Team ## ## (W)703-289-8479 (C)703-283-3734 ## #######################################################
On Tue, 30 Jan 2001, Stephen Stuart wrote:
While it's not exactly a problem, it does give away that you're running bind9 (I do like the new 'version' option where you can set the version.bind reply) even if you change the version to appear to be a bind8 server.
"allow-query" lets you control who can see that information:
zone "bind" chaos { allow-query { 127.0.0.1 ; xxx.xxx.xxx.xxx/len ; } ; type master; file "filename"; };
Stephen
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. END OF LINE | Manager of IP networks built within my own home
The problem is that there are those that do not have their sysadmin staff at proper levels or will use some configuration options to their advantage to save doing work. These people should use caution if they go about it this way instead of upgrading. You would be surprised how many requests i get for favico.ico on my web server still... - Jared On Tue, Jan 30, 2001 at 04:31:30PM -0500, Christopher L. Morrow wrote:
I didn't say I didn't upgrade :) I just said why give out info you don't need to give out.
--Chris
On Tue, 30 Jan 2001, Jared Mauch wrote:
The key here is that if you're going to spend time faking the real response of a query that time may be best spent fixing the real problem.
People who will now complain about the number of machines they need to upgrade, etc.. should now evaluate the costs of running an internet connected network. If these costs or risks are too high for you perhaps you need to evaluate your internet connection policies.
- Jared
On Tue, Jan 30, 2001 at 09:32:24PM +0000, bmanning@vacation.karoshi.com wrote:
lets see... (from previous discussions on the usefullness of tweeking the version)
wearing my blackhat, i have to decide which system is worthty of my talents... which one should I pick?
version "bad-ass-bind"; -or- version "9.1.0"
of course I could be running 4.8.1 and simply recompile so it _reports_ a bogus version but the profile of a 9.1.0 code base is -very- distinct from a 4.8.1 code base... esp on replies to queries.
Pick your targets carefully.
Why not jus return some 'bogus' version ??? like this option allows:
version "bad-ass-bind";
:)
--Chris
####################################################### ## UUNET Technologies, Inc. ## ## Manager ## ## Customer Router Security Engineering Team ## ## (W)703-289-8479 (C)703-283-3734 ## #######################################################
On Tue, 30 Jan 2001, Stephen Stuart wrote:
While it's not exactly a problem, it does give away that you're running bind9 (I do like the new 'version' option where you can set the version.bind reply) even if you change the version to appear to be a bind8 server.
"allow-query" lets you control who can see that information:
zone "bind" chaos { allow-query { 127.0.0.1 ; xxx.xxx.xxx.xxx/len ; } ; type master; file "filename"; };
Stephen
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. END OF LINE | Manager of IP networks built within my own home
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. END OF LINE | Manager of IP networks built within my own home
Ok, so perhaps my initial post was not prefaced correctly: "instead of disallowing queries, change the version returned to something bogus on your spankin' new upgraded 'must be secure cause paul said so' version of BIND'?" :) of course I'm not advocating leaving old/vulnerable versions of stuff running... just denying the enemy intelligence they COULD use against you. --Chris On Tue, 30 Jan 2001, Jared Mauch wrote:
The problem is that there are those that do not have their sysadmin staff at proper levels or will use some configuration options to their advantage to save doing work. These people should use caution if they go about it this way instead of upgrading.
You would be surprised how many requests i get for favico.ico on my web server still...
- Jared
On Tue, Jan 30, 2001 at 04:31:30PM -0500, Christopher L. Morrow wrote:
I didn't say I didn't upgrade :) I just said why give out info you don't need to give out.
--Chris
On Tue, 30 Jan 2001, Jared Mauch wrote:
The key here is that if you're going to spend time faking the real response of a query that time may be best spent fixing the real problem.
People who will now complain about the number of machines they need to upgrade, etc.. should now evaluate the costs of running an internet connected network. If these costs or risks are too high for you perhaps you need to evaluate your internet connection policies.
- Jared
On Tue, Jan 30, 2001 at 09:32:24PM +0000, bmanning@vacation.karoshi.com wrote:
lets see... (from previous discussions on the usefullness of tweeking the version)
wearing my blackhat, i have to decide which system is worthty of my talents... which one should I pick?
version "bad-ass-bind"; -or- version "9.1.0"
of course I could be running 4.8.1 and simply recompile so it _reports_ a bogus version but the profile of a 9.1.0 code base is -very- distinct from a 4.8.1 code base... esp on replies to queries.
Pick your targets carefully.
Why not jus return some 'bogus' version ??? like this option allows:
version "bad-ass-bind";
:)
--Chris
####################################################### ## UUNET Technologies, Inc. ## ## Manager ## ## Customer Router Security Engineering Team ## ## (W)703-289-8479 (C)703-283-3734 ## #######################################################
On Tue, 30 Jan 2001, Stephen Stuart wrote:
> While it's not exactly a problem, it does give away that you're running > bind9 (I do like the new 'version' option where you can set the > version.bind reply) even if you change the version to appear to be a bind8 > server.
"allow-query" lets you control who can see that information:
zone "bind" chaos { allow-query { 127.0.0.1 ; xxx.xxx.xxx.xxx/len ; } ; type master; file "filename"; };
Stephen
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. END OF LINE | Manager of IP networks built within my own home
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. END OF LINE | Manager of IP networks built within my own home
Jared Mauch wrote:
The problem is that there are those that do not have their sysadmin staff at proper levels or will use some configuration options to their advantage to save doing work. These people should use caution if they go about it this way instead of upgrading.
Such people will always exist, and warnings such as yours generally won't be heeded by those people. -- Steve Sobol, BOFH, President 888.480.4NET 866.DSL.EXPRESS 216.619.2NET North Shore Technologies Corporation http://NorthShoreTechnologies.net JustTheNet/JustTheNet EXPRESS DSL (ISP Services) http://JustThe.net mailto:sjsobol@NorthShoreTechnologies.net Proud resident of Cleveland, Ohio
On Tue, 30 Jan 2001 bmanning@vacation.karoshi.com wrote:
lets see... (from previous discussions on the usefullness of tweeking the version)
wearing my blackhat, i have to decide which system is worthty of my talents... which one should I pick?
version "bad-ass-bind"; -or- version "9.1.0"
of course I could be running 4.8.1 and simply recompile so it _reports_ a bogus version but the profile of a 9.1.0 code base is -very- distinct from a 4.8.1 code base... esp on replies to queries.
Pick your targets carefully.
However if I run a safe version of bind _and_ pay attention to my logfiles I may actually catch a couple of nosy crackerjacks in the attempt and keep an eye out before they find something which _is_ vulnerable. Whether it's operationally sane to use such honeypot functionality on a production server remains to be seen. Pi -- Live phase 1 <--> RJ45 pin 3 GND <--> RJ45 pin 8 Live phase 2 <--> RJ45 pin 6 Live phase 3 <--> RJ45 pin 2 Is this suitable? Neutral <--> RJ45 pin 1 Or should we kill phones too?
So, I said this about controlling who can query "version.bind":
"allow-query" lets you control who can see that information:
zone "bind" chaos { allow-query { 127.0.0.1 ; xxx.xxx.xxx.xxx/len ; } ; type master; file "filename"; };
and Rob Thomas was kind enough to point out that this caused bind9 to dump core. I did, in fact, take the example from a bind8 server. I tried replicating it in bind9, and while it didn't dump core (perhaps that was 9.0.x behavior?), on 9.1.0 the log messages suggested that I acquaint myself with "views." I did, and a named.conf for a recursive server that only allows localhost to access the "bind" zone for class "CHAOS" while performing general recursive service for class "IN" is: view "external" { match-clients { any ; } ; zone "127.in-addr.arpa" { type master ; notify no ; file "primary/127.in-addr.arpa" ; } ; zone "." { type hint ; file "cache/cache.db" ; } ; } ; view "local" chaos { match-clients { 127.0.0.1 ; } ; zone "bind" { type master ; file "primary/bind" ; } ; zone "." { type hint ; file "cache/cache.chaos" ; } ; } ; Zone file contents are left as an exercise to the reader; it seems to do the trick in restricting access in the same manner as my bind8 example. Thank you to Rob for pointing out that my solution only worked for bind8; hopefully this helps anyone trying to puzzle it out for bind9. Stephen
participants (13)
-
bmanning@vacation.karoshi.com
-
Christopher L. Morrow
-
jamie rishaw
-
Jared Mauch
-
jlewis@lewis.org
-
Marius Strom
-
Paul Vixie
-
Pim van Riezen
-
poptix@sleepybox.poptix.net
-
Shawn McMahon
-
Stephen Stuart
-
Steve Sobol
-
Valdis.Kletnieks@vt.edu