Security Incidents mailing list archives

Re: Logging named version requests

From: Nicolas GREGOIRE <nicolas.gregoire () 7THZONE COM>
Date: Wed, 7 Feb 2001 09:26:58 +0100

"Osvaldo J. Filho" a écrit :


        With all these bind bug buzzing, I did a (very) small patch to
(sys)log que version request for the latest 8.x.x named (8.2.3-REL). It
can be found at http://brsec.xnext.com.br/named-patch.tgz.

        I think this is really important to keep a eye on intruders
looking for vulnerable servers on your network.


Another way to do that without having to recompile bind :

1/ a zone file :
[root@mary zone]# more /var/named/zone/bind
$ORIGIN bind.
@ 1D CHAOS SOA localhost. root.localhost. (
                        1 ; serial
                        3H ; refresh
                        1H ; retry
                        1W ; expiry
                        1D ) ; minimum
        CHAOS NS localhost.

2/ And in the named.conf file :

zone "bind" chaos { allow-query {localhost; }; type master; file
"zone/bind"; };

3/ Now, the result in the syslog log file :

Feb  6 15:41:40 mary named[4159]: denied query from [X.X.X.X].3207 for
"version.bind"


Enjoy,
Nicob

Current thread:

Logging named version requests Osvaldo J. Filho (Feb 06)
- Re: Logging named version requests Nicolas GREGOIRE (Feb 07)
- <Possible follow-ups>
- Re: Logging named version requests Luke Dudney (Feb 06)