[CentOS] bind (named) compromised?

Mon Feb 10 01:55:38 UTC 2014
SilverTip257 <silvertip257 at gmail.com>

On Sun, Feb 9, 2014 at 3:55 PM, Peter Eckel <lists at eckel-edv.de> wrote:

> Hi James,
> you seem to be running an open DNS resolver, is that correct? And if so,
> do you do it intentionally?

Nux! and Peter are almost certainly correct.

If the OP was to run tcpdump with the -A flag on the external/public-facing
interface, I'd expect he'll see a slew of ANY queries.

# untested
# but the pipe to grep should highlight the word any while still displaying
everything tcpdump's filter matches on (dns queries on port 53)
tcpdump -i <public-facing_interface> -nnA port 53 | grep --color -i -E

The OP likely doesn't want to be an open recursive DNS server.

He can rate-limit DNS queries per source or better yet, set up bind views
and separate ACLs ... trusted hosts in one and everyone else (external
Internet hosts) in the other.  In the internal/trusted view leave recursion
enabled for those hosts (I expect that's what you want).  AND most
importantly in the external view _disable_ recursion.  If there's no reason
for you to answer any queries on your public facing interface, then disable
it all together (you could be running an authoritative name server on that
box, so you wouldn't want to do that!).

Tips to secure your BIND install ... brought to you by Team Cymru [0]

And while you're at it, if you're running ntpd - secure it too [1] if you
haven't already. (Essentially disable monitor/monlist command responses.)

[0] http://www.cymru.com/Documents/secure-bind-template.html
[1] http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html

> I just received an US-CERT alert today that warns about ongoing
> amplification attacks, among others against DNS, but also against some
> other UDP based services.
> <https://www.us-cert.gov/ncas/alerts/TA14-017A>
> From the symptoms you describe I'd say that your DNS server is being used
> in such an attack.
> > I also see a chroot directory, but if I grep for named it doesn't appear
> > to be using the chroot(?):
> > # ps aux | grep named
> > named     3497  0.4  0.7 170088 15836 ?        Ssl  23:02   0:02
> > /usr/sbin/named -u named
> > root      3763  0.0  0.0  61192   764 pts/1    S+   23:13   0:00 grep
> named
> Do you have the bind-chroot package installed?
> Best regards,
>   Peter.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

//  SilverTip257  //