[ale] Question about bind server behavior.
JD
jdp at algoloma.com
Sat Jan 25 14:53:23 EST 2014
1 of the 2 times a server I was responsible for got hacked was via bind.
Being hacked teaches a bunch of lessons.
* versioned backups!! A mirror is NOT enough.
* don't run services on the internet that aren't absolutely necessary
* don't run bind without chroot, keep the authoritative server off the internet
* avoid running sendmail ... that's a diff "hacked" story.
On 01/25/2014 01:59 PM, Jim Lynch wrote:
> On 01/25/2014 12:40 PM, Michael H. Warfield wrote:
>> On Sat, 2014-01-25 at 12:07 -0500, Jim Lynch wrote:
>>> One of my host providers changed the IP address of my server. I went to
>>> the bind server that provides the master records and changed the IP
>>> address in the tables. I restarted bind and then did a dig
>>> @<masterdnsserver> <serverwithnewaddress> and it reports the old IP
>>> address. Is something caching that information?
>> 1) Did you update the serial number in the SOA?
> Hi, Mike,
>
> Yes
>> 2) Are you sure you got the right zone file? If bind is running chroot,
>> you may find a copy in /var/named/data and a copy
>> in /var/named/chroot/var/named/data. Modern setups connect the two
>> together through a bind mount but it use to not always be that way and
>> an updated system won't perform the bind mount if it finds the chroot
>> directory already populated.
> It's not chrooted. The /etc/named.conf file contains:
>
> zone "lynch-family.info" {
> type master;
> file "/var/named/lynch-family.info.hosts";
> };
> The /var/named/lynch-family.info.hosts file has a line:
>
> lynch-family.info. IN A 107.161.113.167
>
> Which is the new IP address.
>
> I'm pretty sure that's what bind is using.
>
> Jim.
>>> I thought that if I provided a server to dig it asked the system
>>> directly. I guess I need to go back to school.
>> You got the correct dig command (although I would have specified -t any
>> and verified an updated SOA as well).
> How interesting. Adding the -t any found the correct address. -t A gives me
> the old one. I guess I'll wait a few days and see if the right stuff gets
> propogated.
>
More information about the Ale
mailing list