View Single Post
  #3  
Old 20th December 2005, 16:25
ZebraCobra ZebraCobra is offline
Junior Member
 
Join Date: Dec 2005
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Question

Thanks for the fast response. On the /etc/resolv.conf file I only have the DNS server list for my ISP. Also did a rootkit scan as you recommended and everything passed OK. I have BIND version 9.3.1, under chroot /var/named/chroot which I believe is the secure version.

Here is my named.conf file which was created by Webmin


//
// named.conf for Red Hat caching-nameserver
//

options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};

//


//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

zone "." IN {
type hint;
file "named.ca";
};

zone "localdomain" IN {
type master;
file "localdomain.zone";
allow-update { none; };
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};


include "/etc/rndc.key";
zone "ABC.DEF.GHI.in-addr.arpa" {
type master;
file "/var/named/ABC.DEF.GHI.rev";
};
zone "virtualdomain1.com" {
type master;
file "/var/named/virtualdomain1.hosts";
};


I am guessing my problem is named.conf, I have seen other examples of it and they have different Views and ACL's??

Part of the ISP letter:

Reported Incident:

All time stamps are based on time zone: -600 Recursive DNS lookup DOS attack:

Please, stop allowing open recursive lookups from external sources.

We've all seen a few related posts recently on related DNS amplification attacks here and it's getting progressively worse. The latest victim has been undergoing DOS attacks on a daily basis well in excess of 6GB/s for several weeks and it is _really_ hurting their business. We'd like to solicit as much help as possible from everyone in order to prevent the next victim from being one of us.

To help customers in cleaning up their DNS configurations, a secure BIND configuration template can be found at: http://www.cymru.com/Documents/secur...-template.html.


Any ideas???
Reply With Quote