How To Patch BIND9 against DNS Cache Poisoning Debian Etch

Discussion in 'HOWTO-Related Questions' started by Infomediador, Jul 29, 2008.

  1. Infomediador

    Infomediador New Member

    I followed the instructions in Falko's howto but I came up against a problem. My system is Etch (stable) after an apt-get update I tried to apt-get install bind9 bind9-host and was told they were up to date.

    Just to check I did apt-get -s install -t unstable bind9 bind9-host and this time was told there was a new version, problem is that among other things it wants to remove several packages that I need.

    What can I do to install the patched version of bind?

    thx

    Alan
     
  2. Rocky

    Rocky New Member

    Hey,

    Did you run the command to find out if your DNS needs the patch? Also, can you be specific about your system setup and what packages it wants to remove?

    Rocky
     
  3. Infomediador

    Infomediador New Member

    Rocky,

    In answer to your questions:

    I ran the the test and my DNS needs to be upgraded.

    The result of the apt-get:

    apt-get -s install bind9 bind9-host -t unstable
    Reading package lists... Done
    Building dependency tree... Done
    The following extra packages will be installed:
    bind9utils gnupg libasn1-8-heimdal libattr1 libbind9-40 libc6 libc6-dev libc6-i386 libcap2 libdb4.6 libdns43
    libgcrypt11 libgcrypt11-dev libgnutls26 libhdb9-heimdal libheimntlm0-heimdal libhx509-3-heimdal libisc41
    libisccc40 libisccfg40 libkadm5clnt7-heimdal libkadm5srv8-heimdal libkafs0-heimdal libkeyutils1
    libkrb5-25-heimdal libkrb53 libldap-2.4-2 liblwres40 libnfsidmap2 libpcre3 libroken18-heimdal libssl-dev
    libssl0.9.8 libwind0-heimdal libxml2 locales tzdata
    Suggested packages:
    resolvconf gnupg-doc libpcsclite1 glibc-doc manpages-dev rng-tools libgcrypt11-doc gnutls-bin krb5-doc
    krb5-user
    The following packages will be REMOVED:
    apache-common apache2 apache2-mpm-prefork apache2-utils apache2.2-common cupsys heimdal-dev
    libapache-mod-php4 libapache2-mod-defensible libapache2-mod-geoip libapache2-mod-php5
    libapache2-mod-security2 libaprutil1 libhdb7-heimdal libkadm5clnt4-heimdal libkadm5srv7-heimdal libldap2
    mod-security2-common php4 php4-imap php4-mysql samba samba-common sasl2-bin smbclient smbfs squid
    The following NEW packages will be installed:
    bind9utils libasn1-8-heimdal libbind9-40 libcap2 libdb4.6 libdns43 libgnutls26 libhdb9-heimdal
    libheimntlm0-heimdal libhx509-3-heimdal libisc41 libisccc40 libisccfg40 libkadm5clnt7-heimdal
    libkadm5srv8-heimdal libkeyutils1 libkrb5-25-heimdal libldap-2.4-2 liblwres40 libroken18-heimdal
    libwind0-heimdal
    The following packages will be upgraded:
    bind9 bind9-host gnupg libattr1 libc6 libc6-dev libc6-i386 libgcrypt11 libgcrypt11-dev libkafs0-heimdal
    libkrb53 libnfsidmap2 libpcre3 libssl-dev libssl0.9.8 libxml2 locales tzdata
    18 upgraded, 21 newly installed, 27 to remove and 536 not upgraded.

    As you can see it will remove apache2 and cupsys (not good, because I use both of them).

    Any suggestions?

    TIA
     
  4. Rocky

    Rocky New Member

    What happens when you try the following?
    apt-get install bind9 bind9-host
     
  5. Infomediador

    Infomediador New Member

    apt-get -s install bind9 bind9-host
    Reading package lists... Done
    Building dependency tree... Done
    bind9 is already the newest version.
    bind9-host is already the newest version.
    0 upgraded, 0 newly installed, 0 to remove and 33 not upgraded.

    BTW: the version installed is 9.3.4
     
  6. falko

    falko Super Moderator ISPConfig Developer

    What's in /etc/apt/sources.list?
     
  7. abonadon

    abonadon New Member

    Moving from "POOR" to "GREAT"

    I had the same problem described here. I fixed it by editing my /etc/bind/named.conf file to comment out "port 53" as the "query-source address." The Debian Etch named.conf file provides the explanation behind the query-source address issue (no longer up to date, in light of the current cache poisoning problem and fix):

    // If there is a firewall between you and nameservers you want
    // to talk to, you might need to uncomment the query-source
    // directive below. Previous versions of BIND always asked
    // questions using port 53, but BIND 8.1 and later use an unprivileged
    // port by default.

    // query-source address * port 53;

    I originally had the query source line UNcommented. I don't have the firewall issue, so re-commenting the line was not a problem. However, I'm not sure what folks who have a firewall issue would do....

    Good luck.
     
    Last edited: Jul 31, 2008
  8. Infomediador

    Infomediador New Member

    HereĀ“s my /etc/apt/sources.list

    # deb http://ftp.debian.org/debian/ etch main

    deb http://ftp.debian.org/debian/ etch main contrib non-free
    deb-src http://ftp.debian.org/debian/ etch main

    deb http://security.debian.org/ etch/updates main contrib non-free
    deb-src http://security.debian.org/ etch/updates main contrib

    ## deb http://mirrors.kernel.org/debian/ unstable main contrib non-free
    deb ftp://mirrors.kernel.org/debian/ unstable main contrib non-free
    deb-src ftp://mirrors.kernel.org/debian/ unstable main

    deb http://mirrors.kernel.org/debian/ testing main contrib non-free
    deb-src http://mirrors.kernel.org/debian/ testing main

    deb http://volatile.debian.net/debian-volatile etch/volatile main

    deb http://www.backports.org/debian etch-backports main contrib non-free

    and just in case, /etc/apt/preferences

    Package: *
    Pin: release a=stable
    Pin-Priority: 700

    Package: *
    Pin: release a=testing
    Pin-Priority: 650

    Package: *
    Pin: release a=unstable
    Pin-Priority: 600

    as per the comments of the previous poster I have already made some changes to my bind config. I am using it at as a caching server so I limited access to clients on my network and blocked transfers. Now when I run the poisoned cache test I get a "good" result. But I would still like to understand why I cannot install the latest version of bind.

    Thx.
     
  9. falko

    falko Super Moderator ISPConfig Developer

    I'd comment out the unstable and testing repositories, run
    Code:
    apt-get update
    , and try again.
     
  10. Infomediador

    Infomediador New Member

    Sorry for the delay. I commented out all of the repositories except stable and I still get the same result.

    Just to be sure about this: the bind version reported on my system is 9.3.4
    I looked it up and according to debian.org this is the latest "stable" version.
    Is there a later version which fixes the dns cache poisoning issue?

    Thx
     
  11. falko

    falko Super Moderator ISPConfig Developer

    Not that I know...
     

Share This Page