The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DNS Cache Poisoning affecting BIND -- Patch?

Discussion in 'Bind / DNS / Nameserver Issues' started by orty, Jul 9, 2008.

  1. orty

    orty Well-Known Member

    Joined:
    Jun 29, 2004
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bend, Oregon
    cPanel Access Level:
    Root Administrator
  2. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    This must be addressed by your Operating System vendor (e.g RedHat, Centos, FreeBSD, etc). cPanel does not distribute BIND.
     
  3. orty

    orty Well-Known Member

    Joined:
    Jun 29, 2004
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bend, Oregon
    cPanel Access Level:
    Root Administrator
    Fair enough -- just wanted to know.

    If anybody comes across a way to verify this on a CentOS 5 install, feel free to e-mail me (or reply here, as I'm sure I'm not the only one looking for this).
     
  4. jpetersen

    jpetersen Well-Known Member

    Joined:
    Dec 31, 2006
    Messages:
    113
    Likes Received:
    4
    Trophy Points:
    18
    Check the CentOS-announce list for the updated releases:

    i368:

    http://lists.centos.org/pipermail/centos-announce/2008-July/015077.html

    x86_64:
    http://lists.centos.org/pipermail/centos-announce/2008-July/015076.html

    You can check the installed version with the rpm command:

    Code:
    # rpm -q bind
    bind-9.2.4-28.0.1.el4
    
    or

    Code:
    # rpm -qa | grep ^bind
    bind-utils-9.2.4-28.0.1.el4
    bind-libs-9.2.4-28.0.1.el4
    bind-9.2.4-28.0.1.el4
    bind-devel-9.2.4-28.0.1.el4
    
    To update it, use your update method. e.g., "yum update bind", or "up2date bind", etc.


    edit: RHEL versions are here: https://rhn.redhat.com/errata/RHSA-2008-0533.html
     
    #4 jpetersen, Jul 9, 2008
    Last edited: Jul 9, 2008
  5. orty

    orty Well-Known Member

    Joined:
    Jun 29, 2004
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bend, Oregon
    cPanel Access Level:
    Root Administrator
    That's what I needed to know -- how to check my current versions. Looks like my nightly update took care of it (at least on one server -- will check others in a bit):
    Code:
    # rpm -qa | grep ^bind
    bind-libs-9.3.4-6.0.1.P1.el5_2
    bind-utils-9.3.4-6.0.1.P1.el5_2
    bind-9.3.4-6.0.1.P1.el5_2
    bind-devel-9.3.4-6.0.1.P1.el5_2
    That appears to match the CentOS versions numbers for the patch. Thanks!
     
  6. rrwh

    rrwh Well-Known Member

    Joined:
    Oct 2, 2004
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    This is valid BUT.. Cpanel could do better in this respect.

    If you look at how CPanel creates a new zone record in the named.conf file all it does is

    zone "example.com" {
    type master;
    file "/var/named/example.com.db";
    };

    While this is all that is necessary, it is simply a good practice to add things to the config to make it more secure.

    What is wrong with CPanel by default using a more secure config for DNS - such as setting up an ACL for the name servers and only allowing the name servers to do a zone transfer?

    acl nameservers-acl {ip.of.name.server; ip.of.other.nameserver; };

    zone "example.com" {
    type master;
    file "/var/named/example.com.db";
    allow-transfer { namerservers-acl; };
    };

    There are a lot of people who use cpanel and do not know squat about DNS, so this is an opportunity for Cpanel to take a look at http://www.cert.org/archive/pdf/dns.pdf and implement some sane DNS hardening that will better protect every CPanel server.
     
  7. Doug E

    Doug E Well-Known Member

    Joined:
    Aug 17, 2005
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    Thanks for your reply jpetersen

    I have a question, how come your version (assumingly) and mine are 9.2.4-28... while orty's is 9.34... as is supposedly the most recent version according to the links you provided?
     
  8. hodfords

    hodfords Active Member

    Joined:
    Feb 22, 2002
    Messages:
    43
    Likes Received:
    1
    Trophy Points:
    6
    One of our domain names has been poisoned...

    We are running Cpanel 11 - Centos 5

    Currently on:-
    bind-9.3.3-10

    We did a "yum update bind" on our testing server and it only updates the BINd to 9.3.4-6 and according to BIND http://www.isc.org/index.pl?/sw/bind/index.php - all versions 9.3.4 are susceptible. So I guess it wouldn't fix the problem if we did a yum update....

    We have found that we could download the latest BIND 9.3.5-P1 - but that is in .tar.gz source but our current Cpanel box is installed by RPM.... Is it safe to download source and install on Cpanel box?
     
  9. jpetersen

    jpetersen Well-Known Member

    Joined:
    Dec 31, 2006
    Messages:
    113
    Likes Received:
    4
    Trophy Points:
    18
    The versions differ because the BIND version numbers for CentOS 4 and CentOS 5 differ (orty's server was CentOS 5, and yours and mine are either CentOS 4 or RHEL 4):

    CentOS 4 - bind-9.2.4-28.0.1.el4

    CentOS 5 - bind-9.3.4-6.0.1.P1.el5_2


    There's been another update for CentOS 5 as well:

    CentOS 5 - bind-9.3.4-6.0.2.P1.el5_2
     
  10. anton_latvia

    anton_latvia Well-Known Member
    PartnerNOC

    Joined:
    May 11, 2004
    Messages:
    348
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Latvia
    cPanel Access Level:
    Root Administrator
    In yum.conf we have several packages in "exclude" list, one of the is "bind-chroot". Did cPanel add it there and should it stay there?

    Anton.
     
  11. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    RedHat backports patches to the version of the application provided in the current RHEL version. CentOS in turn takes the source RPMs and makes them available in a corresponding CentOS version. You need to read the information in the links jpeterson provided.

    Yes, it was added as part of the 11.23 development cycle. We don't fully support running bind in a chroot at this time, hence we placed the exclude to preclude problems.
     
  12. gongpro

    gongpro Member

    Joined:
    Jul 6, 2004
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    dnsstuff.com has a DNS vulnerability check tool that you can check if your isp has this problem.

    I wrote the following php file to test my server:
    Code:
    <?php
    $lines = file_get_contents('http://member.dnsstuff.com/includes/ToolHandler.php?ToolFormName=vu800113');
    echo $lines;
    ?>[CODE]
    
    Anybody know if this is a valid way to test our server?
    
    [B]Update:[/B] Looks like dnsstuff changed this tool, so the above doesn't work anymore.
     
    #12 gongpro, Jul 16, 2008
    Last edited: Jul 28, 2008
  13. cyndre2

    cyndre2 Member

    Joined:
    Jul 15, 2008
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Bind updated

    I have the proper version of bind now, but Im still only using port 53. Anyone know how to fix this part of it?
     
  14. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    How do you know if you have bind chrooted?
     
  15. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    ps axf | grep named
    If that mentions /var/named/chroot/ then you're using it, otherwise you're not.
     
  16. acenetgeorge

    acenetgeorge Well-Known Member
    PartnerNOC

    Joined:
    Mar 6, 2008
    Messages:
    64
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Southfield, MI
    cPanel Access Level:
    DataCenter Provider
    Comment out that line, and it should do the trick.
     
  17. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Great! Thanks!

    Code:
    [root /]# ps axf | grep named
    11848 ?        Ssl    4:17 /usr/sbin/named -u named
     9842 ?        S      0:00          \_ sh -c export PATH = /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin ; cd / ; ps axf | grep named 2>&1
    [root /]#


    BTW, for those people using bind chrooted, I've found this tutorial explaining how to patch bind.
    http://www.howtoforge.com/how-to-patch-bind-to-avoid-cache-poisoning-fedora-centos

    Since I don't have it chrooted, shouldn't I pay attention to any point of that tutorial, right? Or even any concept may be interesting to apply or take in account?
     
  18. orty

    orty Well-Known Member

    Joined:
    Jun 29, 2004
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bend, Oregon
    cPanel Access Level:
    Root Administrator
    So then DNS would use ports other than 53 then, right? Would I need to tweak my firewall (Configserver's CSF) to make this work?
     
  19. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Aside from what chirpy mentioned, on RedHat derived systems (and possibly other Linux systems) check the ROOTDIR variable in /etc/sysconfig/named. If a value is assigned then your system is configured to chroot bind.
     
  20. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    This is the content of my /etc/sysconfig/named. Not chrooted.

    Code:
    # Currently, you can use the following options:
    # ROOTDIR="/some/where"  --  will run named in a chroot environment.
    #                            you must set up the chroot environment before
    #                            doing this.
    # OPTIONS="whatever" -- These additional options will be passed to named
    #                       at startup. Don't add -t here, use ROOTDIR instead.
    From this, can I assume my BIND is safe? Even if the version is not so up to date? BTW, I'm running CENTOS Enterprise 4.6 i686 on virtuozzo

    (And don't forget to take a look at the last question I wrote in my post #17 of this thread, I need something from that patch?)

    Code:
    # named -v
    BIND 9.2.4
    
    # rpm -q bind
    bind-9.2.4-28.0.1.el4
     
    #20 Kent Brockman, Jul 30, 2008
    Last edited: Jul 30, 2008
Loading...

Share This Page