Resolve DNS Misconfiguration abuse complaint

Question

Today i received a abuse complaint about my dns server.

Translation courtesy of Froggiz

Hi,

The CERT-FR has been informed by one of his partner that one or more domain name server (DNS) below aren't validating the IP source of the transfert protocol of "zone AXFR"

ID,Domain,Name server,IP address,Country 329872,mydomain.com,ns1.mydomain.com.,101.51.251.156,FR 329872,mydomain.com,ns2.mydomain.com.,101.51.251.156,FR

Consequently, anyone is able to get the whole DNS records and hosted domain on this DNS.

You can find more informations and help in the following link: http://www.cert.ssi.gouv.fr/site/CERTA-2012-ACT-048/CERTA-2012-ACT-048.html

It is your responsibility to check the veracity of this information and take appropriate corrective measures

The CERT-FR stands at your disposal for more informations or advices

here is the complaint , its french!

Bonjour,
Le CERT-FR a été informé par l'un de ses partenaires que le ou les
serveurs de noms (DNS) ci-dessous n'effectuent pas de validation de
l'adresse IP source lors de l'utilisation du protocole de transfert de
zone AXFR :
ID,Domain,Name server,IP address,Country
329872,mydomain.com,ns1.mydomain.com.,101.51.251.156,FR
329872,mydomain.com,ns2.mydomain.com.,101.51.251.156,FR
Par conséquent, n'importe qui est en capacité de récupérer l'intégralité
des informations DNS du ou des domaines hébergés sur ce ou ces serveurs
de noms.
Vous pourrez trouver des informations complémentaires à l'aide du lien
suivant :
http://www.cert.ssi.gouv.fr/site/CERTA-2012-ACT-048/CERTA-2012-ACT-048.html
Il vous revient de vérifier la véracité de cette information et de
prendre les mesures de correction adaptées.
Le CERT-FR se tient à votre disposition pour toute information ou
conseil complémentaires.
Cordialement,

On my server for DNS i am using Bind9:

here its the my bind configuration:

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
    listen-on port 53 { 127.0.0.1; 101.51.251.156;}; ### Master DNS IP ###
#    listen-on-v6 port 53 { ::1; };
    directory     "/var/named";
    dump-file     "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { any;}; ### IP Range ###
   // allow-recursion {"none";};
    //allow-transfer{ localhost; 101.51.251.156; };   ### Slave DNS IP ###

    /*
     - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
     - If you are building a RECURSIVE (caching) DNS server, you need to enable
       recursion.
     - If your recursive DNS server has a public IP address, you MUST enable access
       control to limit queries to your legitimate users. Failing to do so will
       cause your server to become part of large scale DNS amplification
       attacks. Implementing BCP38 within your network would greatly
       reduce such attack surface
    */
    recursion no;

    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";

    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
    type hint;
    file "named.ca";
};

zone "mydomain.com" IN {
type master;
file "mydomain.com.zone";
allow-update { none; };
};



include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

And my zone file :

$TTL 86400;    
@ IN SOA ns1.mydomain.com. admin.mydomain.com. (
            2010062801 ; Serial
            10800 ; Refresh    
            3600 ; Retry    
            604800 ; Expire
            86400 ; Minimum
)    

mydomain.com. IN NS ns1.mydomain.com.    
mydomain.com. IN  NS  ns2.mydomain.com.
mydomain.com.       IN A 101.51.251.156    
ns1.mydomain.com.   IN A 101.51.251.156    
ns2.mydomain.com.   IN A 101.51.251.156
www.mydomain.com.   IN A 101.51.251.156    
ftp.mydomain.com.   IN A 101.51.251.156
mail.mydomain.com.  IN A 101.51.251.156
*.mydomain.com.  IN A 101.51.251.156
mydomain.com.       IN MX 10 mail.mydomain.com.

I want know what i do wrong , and what should i do to resolve this issue

Thank in advance

score 3 · Answer 1 · answered Nov 15 '15 at 13:55

3

You've removed the allow-transfer directive from your configuration, thus anyone in the world can download your entire zone file.

Whether this is a problem depends on whether you have a need to keep this information private.

answered Nov 15 '15 at 13:55

Michael Hampton

237,123
42
477
940

thanks , now if i just uncomment `allow-transfer` its ok ? do you have any other security advice in my confg file ? – user1086010 Nov 15 '15 at 15:27
`allow-transfer { none; };` – Jacob Evans Nov 15 '15 at 17:33
@JacobEvans what different `allow-transfer{ localhost; myServerIp; };` and `allow-transfer { none; };` – user1086010 Nov 15 '15 at 18:18
The only servers in your list should be slaves or none – Jacob Evans Nov 15 '15 at 18:31

Resolve DNS Misconfiguration abuse complaint

1 Answers1