https://community.hpe.com/t5/operating-system-hp-ux/securing-hp-ux-dns/m-p/3192172#M164986 BIND is DNS, but DNS isn't BIND... Mon, 16 Feb 2004 10:35:05 GMT Paul Cross_1 2004-02-16T10:35:05Z https://community.hpe.com/t5/operating-system-hp-ux/securing-hp-ux-dns/m-p/3192169#M164983 We have one DNS server on our network that all the Asian root servers love to send binaries to over port 53. Hence I have the following 2 questions.<BR /><BR />2 Questions:<BR /><BR />1) Is there a way we can secure the DNS server to reject a DNS response with binary code in it?<BR /> <BR />2) Is there really some legimate DNS traffic to a BIND server that should be from a root server? Or in other words, is there going to be any problems if we start blocking this type of traffic.<BR /><BR />Michael Fri, 13 Feb 2004 16:47:51 GMT https://community.hpe.com/t5/operating-system-hp-ux/securing-hp-ux-dns/m-p/3192169#M164983 Michael_423 2004-02-13T16:47:51Z https://community.hpe.com/t5/operating-system-hp-ux/securing-hp-ux-dns/m-p/3192170#M164984 Hello Michael,<BR /><BR />you might get a useful answer here (a number of experienced UX folks frequent this Linux forum) but if you want to discuss hpux specific details you might be better off over in the hpux forum at<BR /><BR /><A href="http://forums1.itrc.hp.com/service/forums/familyhome.do?familyId=117" target="_blank">http://forums1.itrc.hp.com/service/forums/familyhome.do?familyId=117</A><BR /><BR />All the best,<BR /><BR />Martin <BR /> Fri, 13 Feb 2004 17:13:59 GMT https://community.hpe.com/t5/operating-system-hp-ux/securing-hp-ux-dns/m-p/3192170#M164984 Martin P.J. Zinser 2004-02-13T17:13:59Z https://community.hpe.com/t5/operating-system-hp-ux/securing-hp-ux-dns/m-p/3192171#M164985 1) I properly configured DNS server with BIND 9.2.0 will not allow tranfers of binaries. It will only answer valid requests for name resolution infomration.<BR /><BR />2) BIND is DNS DNS is BIND. Two names for the same thing. <BR /><BR />I do not believe you need to do anything to the BIND version from software.hp.com to secure it against this kind of attack.<BR /><BR />Do you have any evidence that this has been done to your servers?<BR /><BR />In the HP-UX security section <A href="http://forums1.itrc.hp.com/service/forums/categoryhome.do?categoryId=155" target="_blank">http://forums1.itrc.hp.com/service/forums/categoryhome.do?categoryId=155</A> you will see posts by Berlene Herren. She has posted a number of DNS/BIND security warnings in the past month. Following the instructions there will leave you secure.<BR /><BR />SEP Sat, 14 Feb 2004 23:15:30 GMT https://community.hpe.com/t5/operating-system-hp-ux/securing-hp-ux-dns/m-p/3192171#M164985 Steven E. Protter 2004-02-14T23:15:30Z https://community.hpe.com/t5/operating-system-hp-ux/securing-hp-ux-dns/m-p/3192172#M164986 BIND is DNS, but DNS isn't BIND... Mon, 16 Feb 2004 10:35:05 GMT https://community.hpe.com/t5/operating-system-hp-ux/securing-hp-ux-dns/m-p/3192172#M164986 Paul Cross_1 2004-02-16T10:35:05Z https://community.hpe.com/t5/operating-system-hp-ux/securing-hp-ux-dns/m-p/3192173#M164987 Yes, I realized after my post that you don't need BIND to do DNS. DNS 4.9 was not BIND and Microsoft does it quite nicely without BIND.<BR /><BR />Thanks for the correction.<BR /><BR />I'm asking HP to move this thread to HP-UX.<BR /><BR />SEP Mon, 16 Feb 2004 11:03:08 GMT https://community.hpe.com/t5/operating-system-hp-ux/securing-hp-ux-dns/m-p/3192173#M164987 Steven E. Protter 2004-02-16T11:03:08Z