Networking
cancel
Showing results for 
Search instead for 
Did you mean: 

Audit report reg Bind version

zxcv
Super Advisor

Audit report reg Bind version

hi ,

 

WE do not have an hpux sevrer in our setup for DNS...we are using a windows machine.

REcently we had an audit which gave us the following report ;

 

The remote BIND 9 DNS server, according to its version number, is vulnerable to a buffer overflow which may allow an attacker to gain a shell on this host or to disable this server.

 

As far as i know we use bind for dns services..

These servers are hpux 11iv2 where we only use smtp for sending mails..

What should be our ideal reply for this case ??

2 REPLIES
Matti_Kurkela
Honored Contributor

Re: Audit report reg Bind version

First, find the actual IP address of the "remote BIND 9 DNS server" the report is talking about.

Once you know that, see if that host is actually running BIND 9 or not.

If it is, read its configuration (typically /etc/named.conf) to see if it's configured to act as authoritative (= either master or slave) for any DNS zones or not.

If not, it's only working as a caching DNS resolver: turn on query logging and/or check the DNS settings of your servers (/etc/resolv.conf) to see which systemss (if any) use this BIND for hostname resolution.

If there are none, or if you can configure the systems to use a different nameserver, you can disable BIND:

Run "sh /sbin/init.d/named stop" and modify /etc/rc.config.d/namesvrs to say "NAMED=0" instead of "NAMED=1".

 

If you're required to keep BIND running after all (= either it's being used as an authoritative DNS server or a resolver for other hosts and you cannot move these things elsewhere), you should go to http://software.hp.com and search for BIND to find the latest BIND upgrade package for your HP-UX version: currently the latest for 11iv2 is C.9.3.2.8.0. It contains some backported patches compared to "vanilla" BIND source code package from its developer, isc.org. You might want to update to the latest version and then copy the list of fixed security bugs from the Release Notes to your response to the audit: according to the audit report, the auditor has only done a simple version number check, which may not take into account any backported patches in the HP-packaged version of BIND.

 

If that version is not new enough for your auditor's satisfaction, you have two options: either respond with "this is the latest version supported by HP; there is no newer version available", or get the latest BIND source code from isc.org and compile it yourself. The latter requires a working ANSI C compiler and someone with the basic skills for compiling Unix software from source.

MK
zxcv
Super Advisor

Re: Audit report reg Bind version

Hi Matti ,

 

I have 3 unix servers and one win2003 dns server..

i ran the following from one of my unix box ,

root #/ >dig -t txt -c chaos VERSION.BIND @10.1.4.214

; <<>> DiG named 9.2.0 <<>> -t txt -c chaos VERSION.BIND @10.1.4.XX
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOTIMPL, id: 58889
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;VERSION.BIND.                  CH      TXT

;; Query time: 0 msec
;; SERVER: 10.1.4.XX#53(10.1.4.XX)
;; WHEN: Mon Sep 12 16:16:32 2011
;; MSG SIZE  rcvd: 30

 

root #/ >cat /etc/named.conf
#
# type domain source file
#

options {
        directory "/etc/named.data";
};

zone "0.0.127.IN-ADDR.ARPA" {
        type master;
        file "db.127.0.0";
};

zone "cedgedns.in" {
        type master;
        file "db.XXXdns";
};

zone "4.1.10.IN-ADDR.ARPA" {
        type master;
        file "db.10.1.4";
};

zone "." {
        type hint;
        file "db.cache";
};

 

i tried disabling bind on one of my unix boxes , using /sbin/init.d/named successfully.

My question is does anythng need to be done on my win2003 box ?