refuse DNS queries from all except authorized hosts/networks for BIND (PCI CVE-2006-0987)

sleepin4ever

• September 06, 2014 11:02

Our PCI scanner caught a CVE for DNS querying. The problem is "It is possible to send a query for the root zone (.) to the DNS server, and get an answer that is much larger than the query (often more than 20 times in size). An attacker could spoof the source IP address of the query, causing the DNS server to respond to the source IP with the larger answer. An attacker could focus these answers on a single target, resulting in a Denial of Service for that IP. ..." The solution is " First, if the DNS server allows for recursive queries, then the server should be configured to refuse queries from all except authorized hosts/networks. If the DNS server is non-recursive, then it should only answer queries for zones that it is authoritative. BIND 9.3 and later can accomplish this by adding an 'allow-query' statement to the global config that restricts queries to only trusted networks, and then adding 'allow-query {any;}' to authoritative zone configurations. " I went into the BIND config file but it clear states that any edits will be overwritten by WHM/cPanel when it is upgraded. How can I achieve this through WHM? Thanks

• 

  cPanelMichael

  • September 08, 2014 15:12

  Hello :) CVE-2006-0987 was addressed in cPanel version 11.44 with internal case number 94901: Fixed case 94901: Updated options in named.conf template. This ensures the configuration neither allows recursive queries, nor provides additional delegation information to arbitrary IP addresses (external view). However, please ensure you rebuild the /etc/named.conf file from scratch to utilize the updated template: mv /etc/named.conf /etc/named.conf.backup1 /scripts/rebuilddnsconfig
  Thank you.

  0

Please sign in to leave a comment.