l Bind q q l BIND 9 Security

l Bind 版本升級 q q l 可用版本 BIND 9 Security Vulnerability Matrix ISC mailing lists 手動編譯 Bind 安全設定 q q q 存取控制清單限制來源查詢要求 Rate limit Zone Transfer 限制 TSIG Zone Transfer

Bind 版本升級(2) l BIND 9 Security Vulnerability Matrix 4

Bind 版本升級(3) l ISC mailing lists q bind-announce n n q 新版本通知 CVE 通知 bind-users n Bind 用戶提問 5

Bind 版本升級(4) l 手動編譯 q 編譯環境需求 n q gcc, make, openssl, libxm 2 取得編譯設定 n named –Version $ named -Version BIND 9. 9. 9 -P 3 (Extended Support Version) <id: 1 b 68143> running on Linux x 86_64 2. 6. 32 -431. 29. 2. el 6. x 86_64 #1 SMP Tue Sep 9 21: 36: 05 UTC 2014 built by make with '--prefix=/usr' '--sysconfdir=/etc' '--localstatedir=/var' '--enable-ipv 6' '--enable-threads' '--enable-rrl' compiled by GCC 4. 4. 7 20120313 (Red Hat 4. 4. 7 -4) compiled with Open. SSL version: Open. SSL 1. 0. 1 e 11 Feb 2013 linked to Open. SSL version: Open. SSL 1. 0. 1 e-fips 11 Feb 2013 compiled with libxml 2 version: 2. 7. 6 linked to libxml 2 version: 20706 6

l Bind 版本升級 q q l 可用版本 BIND 9 Security Vulnerability Matrix ISC mailing lists 手動編譯 Bind 安全設定 q q q 存取控制清單限制來源查詢要求 Rate limit Zone Transfer 限制 TSIG Zone Transfer

$Bind 安全設定(1) l 存取控制清單 acl-name { address_match_list }; acl “allowips" { 10. 0. 1.$

Bind 安全設定(1) l 存取控制清單 acl-name { address_match_list }; acl “allowips" { 10. 0. 1. 1; 192. 168. 0. 0/30; // 4 IPs }; zone "example. com" { type slave; file "slave. example. com"; allow-notify { "allowips"; }; }; 9

Bind 安全設定(2) l 限制來源查詢要求 p allow-query Ø p /etc/named. conf options { allow-query { any; }; } recursion Ø /etc/named. conf options { recursion no; } 10

$Bind 安全設定(3) l Rate limit options { logging { rate-limit { channel rate_log {$

Bind 安全設定(3) l Rate limit options { logging { rate-limit { channel rate_log { responses-per-second 10; file "/Path/to/log" versions 3 size 10 m; nxdomains-per-second 5; severity info; exempt-clients { print-severity no; 61. 220. 0. 0/20; print-time yes; 173. 194. 93. 0/24; }; }; category rate-limit { rate_log; }; log-only no; }; }; }; 11

Bind 安全設定(4) l Zone Transfer 限制 q /etc/named. conf options { allow-transfer { 192. 168. 0. 1; 10. 0. 1. 1; }; }; 12

Bind 安全設定(5) l TSIG Zone Transfer p Master p /etc/named. conf key “KEYNAME" { algorithm hmac-md 5; secret “KEY_STRING"; }; options { allow-transfer { key KEYNAME; }; }; 13

Bind 安全設定(6) l TSIG Zone Transfer p Slave p /etc/named. conf key “KEYNAME" { algorithm hmac-md 5; secret “KEY_STRING"; }; server Master_IP_address { keys { KEYNAME; }; }; 14

Bind 安全設定(7) l TSIG Zone Transfer q Log Slave dd-mm-YYYY HH: MM: SS. sss zone Domain. Name/IN: Transfer started. dd-mm-YYYY HH: MM: SS. sss transfer of 'Domain. Name/IN' from Master_IP_address#53: connected using Slave_IP_address#54518 dd-mm-YYYY HH: MM: SS. sss zone Domain. Name/IN: transferred serial 1479862862: TSIG 'KEYNAME' dd-mm-YYYY HH: MM: SS. sss transfer of 'Domain. Name/IN' from Master_IP_address#53: Transfer status: success dd-mm-YYYY HH: MM: SS. sss transfer of 'Domain. Name/IN' from Master_IP_address#53: Transfer completed: 1 messages, 6 records, 279 bytes, 0. 001 secs (279000 bytes/sec) Master dd-mm-YYYY HH: MM: SS. sss client Slave_IP_address#54518/key KEYNAME (Domain. Name): transfer of 'Domain. Name/IN': AXFR-style IXFR started: TSIG KEYNAME dd-mm-YYYY HH: MM: SS. sss client Slave_IP_address#54518/key KEYNAME (Domain. Name): transfer of 'Domain. Name/IN': AXFR-style IXFR ended 15