403
23.07.04, 18:56
Hi ;) ;
Ich habe einen named am Laufen, dem ich mit dem in LinuxMag
publizierten Chaos Class das Herausgeben des Version Bind
verbieten wollte.
( Erfragen der chaos Klasse geht so:
% dig @???.???.86.226 version.bind CHAOS TXT
;; ANSWER SECTION:
VERSION.BIND. 0S CHAOS TXT "8.1.2"
)
( http://www.linux-magazin.de/Artikel/ausgabe/2000/12/SnortNmap/SnortNmap.html )
Wenn ich das mache
zone "bind" chaos {
type master;
file "/etc/bind/bind" ;
};
und die Zone anlege:
Code:
$ORIGIN bind.
$TTL 1W
@: 1 ; serial
3H ; refresh
1H ; retry
1W ; expiry
1D ) ; minimum
CHAOS NS localhost.
bekomme ich:
named[3069]: zone 'bind': wrong class for view '<default view>'
nutze Bind 9.x.x *g*
wie kommt named da ueberhaupt auf view? Das ist doch fuer Firewalls
gedacht oder?
Vielen Dank fuer alle Hints.
anbei named.conf
[size=x-small]
// Wed Jul 21 15:08:39 CEST 2004
// Master-server
options {
directory "/var/cache/bind";
dump-file "/etc/bind/named_dump.db";
statistics-file "/etc/bind/named.stats";
zone-statistics yes;
recursion yes;
pid-file "/etc/bind/named.pid";
query-source address * port 53;
// allow-query { trusted; !bogon; };
// allow-recursion { trusted; };
// allow-transfer { trusted; };
//allow-transfer { none; };
// blackhole { bogon; };
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
213.35.22.1 //fake
};
auth-nxdomain no; # conform to RFC1035
};
//acl "trusted" { localhost; };
//acl "bogon" { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 224.0.0.0/4; 224.0.0.0/5; }; // matter of taste 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
// might be needed for internal DNS stuff
logging {
category "lame-servers" { "null"; };
};
//zone "bind" chaos {
//type master;
//file "/var/named/bind" ;
//};
// prime the server with knowledge of the root servers
zone "." {
type hint;
// file "/etc/bind/db.root";
file "/etc/bind/db.root-and-orsn";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
// add entries for other zones below here
key "key" {
algorithm hmac-md5;
secret "J3xidQBggkL fake GSicjzeDD555qJ+0tFQ==";
};
zone "grummel.com" {
type master;
file "/etc/bind/grummel.hosts";
};
Die Loesung:
ok, also aus irgendeinem grund, braucht man dazu view.
und view muss dann fuer alle zonen benutzt werden.
Seriennummer anpassen!!
cat db.bind
;ch
$TTL 1D
$ORIGIN bind.
@ 1D CHAOS SOA localhost. root.localhost. (
2004070101 ; serial
3H ; refresh
1H ; retry
1W ; expiry
1D ) ; minimum
CHAOS NS localhost.
version.bind. CHAOS TXT "BIND 9.1.3+robhacks"
authors.bind. CHAOS TXT "are better coders than I. :)"
neu:
// Create a view for all clients perusing the CHAOS class.
// We allow internal hosts to query our version number.
// This is a good idea from a support point of view.
view "external-chaos" chaos {
match-clients { any; };
recursion no;
zone "." {
type hint;
file "/dev/null";
};
zone "bind" {
type master;
file "db.bind";
// allow-query {
// trusted;
};
allow-transfer {
none;
};
};
//};
view "internal-in" in {
// prime the server with knowledge of the root servers
zone "." {
type hint;
usw.
hier die Zonen...
In /var/log/messages sollte stehen:
Jul 23 19:23:36 vs160197 named[1346]: zone bind/CH: loaded serial 2004070101
Wenn ich jetzt die oben erwaehnte Abfrage mache kommt:
dig @12.110.110.204 version.bind CHAOS TXT
; <<>> DiG 9.2.2-P3 <<>> @12.110.110.204 version.bind CHAOS TXT
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8227
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;version.bind. CH TXT
;; ANSWER SECTION:
version.bind. 86400 CH TXT "beliebigertext"
;; AUTHORITY SECTION:
bind. 86400 CH NS localhost.
;; Query time: 1 msec
;; SERVER: 12.110.110.204#53(12.110.110.204)
;; WHEN: Fri Jul 23 19:26:44 2004
;; MSG SIZE rcvd: 85
Ich habe einen named am Laufen, dem ich mit dem in LinuxMag
publizierten Chaos Class das Herausgeben des Version Bind
verbieten wollte.
( Erfragen der chaos Klasse geht so:
% dig @???.???.86.226 version.bind CHAOS TXT
;; ANSWER SECTION:
VERSION.BIND. 0S CHAOS TXT "8.1.2"
)
( http://www.linux-magazin.de/Artikel/ausgabe/2000/12/SnortNmap/SnortNmap.html )
Wenn ich das mache
zone "bind" chaos {
type master;
file "/etc/bind/bind" ;
};
und die Zone anlege:
Code:
$ORIGIN bind.
$TTL 1W
@: 1 ; serial
3H ; refresh
1H ; retry
1W ; expiry
1D ) ; minimum
CHAOS NS localhost.
bekomme ich:
named[3069]: zone 'bind': wrong class for view '<default view>'
nutze Bind 9.x.x *g*
wie kommt named da ueberhaupt auf view? Das ist doch fuer Firewalls
gedacht oder?
Vielen Dank fuer alle Hints.
anbei named.conf
[size=x-small]
// Wed Jul 21 15:08:39 CEST 2004
// Master-server
options {
directory "/var/cache/bind";
dump-file "/etc/bind/named_dump.db";
statistics-file "/etc/bind/named.stats";
zone-statistics yes;
recursion yes;
pid-file "/etc/bind/named.pid";
query-source address * port 53;
// allow-query { trusted; !bogon; };
// allow-recursion { trusted; };
// allow-transfer { trusted; };
//allow-transfer { none; };
// blackhole { bogon; };
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
213.35.22.1 //fake
};
auth-nxdomain no; # conform to RFC1035
};
//acl "trusted" { localhost; };
//acl "bogon" { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 224.0.0.0/4; 224.0.0.0/5; }; // matter of taste 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
// might be needed for internal DNS stuff
logging {
category "lame-servers" { "null"; };
};
//zone "bind" chaos {
//type master;
//file "/var/named/bind" ;
//};
// prime the server with knowledge of the root servers
zone "." {
type hint;
// file "/etc/bind/db.root";
file "/etc/bind/db.root-and-orsn";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
// add entries for other zones below here
key "key" {
algorithm hmac-md5;
secret "J3xidQBggkL fake GSicjzeDD555qJ+0tFQ==";
};
zone "grummel.com" {
type master;
file "/etc/bind/grummel.hosts";
};
Die Loesung:
ok, also aus irgendeinem grund, braucht man dazu view.
und view muss dann fuer alle zonen benutzt werden.
Seriennummer anpassen!!
cat db.bind
;ch
$TTL 1D
$ORIGIN bind.
@ 1D CHAOS SOA localhost. root.localhost. (
2004070101 ; serial
3H ; refresh
1H ; retry
1W ; expiry
1D ) ; minimum
CHAOS NS localhost.
version.bind. CHAOS TXT "BIND 9.1.3+robhacks"
authors.bind. CHAOS TXT "are better coders than I. :)"
neu:
// Create a view for all clients perusing the CHAOS class.
// We allow internal hosts to query our version number.
// This is a good idea from a support point of view.
view "external-chaos" chaos {
match-clients { any; };
recursion no;
zone "." {
type hint;
file "/dev/null";
};
zone "bind" {
type master;
file "db.bind";
// allow-query {
// trusted;
};
allow-transfer {
none;
};
};
//};
view "internal-in" in {
// prime the server with knowledge of the root servers
zone "." {
type hint;
usw.
hier die Zonen...
In /var/log/messages sollte stehen:
Jul 23 19:23:36 vs160197 named[1346]: zone bind/CH: loaded serial 2004070101
Wenn ich jetzt die oben erwaehnte Abfrage mache kommt:
dig @12.110.110.204 version.bind CHAOS TXT
; <<>> DiG 9.2.2-P3 <<>> @12.110.110.204 version.bind CHAOS TXT
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8227
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;version.bind. CH TXT
;; ANSWER SECTION:
version.bind. 86400 CH TXT "beliebigertext"
;; AUTHORITY SECTION:
bind. 86400 CH NS localhost.
;; Query time: 1 msec
;; SERVER: 12.110.110.204#53(12.110.110.204)
;; WHEN: Fri Jul 23 19:26:44 2004
;; MSG SIZE rcvd: 85