http://www.freebsdwiki.net/index.php?title=BIND,_securing&feed=atom&action=historyBIND, securing - Revision history2024-03-29T10:39:11ZRevision history for this page on the wikiMediaWiki 1.18.0http://www.freebsdwiki.net/index.php?title=BIND,_securing&diff=13338&oldid=prevJimbo at 21:37, 25 August 20122012-08-25T21:37:35Z<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 21:37, 25 August 2012</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 61:</td>
<td colspan="2" class="diff-lineno">Line 61:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[http://www.boran.com/security/sp/chrooting_bind.html Info on chroot'ing]]</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[http://www.boran.com/security/sp/chrooting_bind.html Info on chroot'ing]]</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>[[http://sysadmin.oreilly.com/news/<del class="diffchange diffchange-inline">views_05 </del>... <del class="diffchange diffchange-inline">\n</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>[[http://sysadmin.oreilly.com/news/<ins class="diffchange diffchange-inline">views_0501</ins>.<ins class="diffchange diffchange-inline">html Implementing Views in BIND 9, by Cricket Liu]]</ins>. <ins class="diffchange diffchange-inline">Thumbing through O'Reilly's DNS & BIND book is highly recommended -- Cricket Liu quite literally wrote the book on DNS</ins>.</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">[[Category:Ports and Packages]]</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">[[Category:Configuring FreeBSD]]</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">[[Category:Securing FreeBSD]]</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">[[Category:DNS]]</ins></div></td></tr>
<!-- diff cache key bsdwiki:diff:version:1.11a:oldid:13296:newid:13338 -->
</table>Jimbohttp://www.freebsdwiki.net/index.php?title=BIND,_securing&diff=13296&oldid=prevJimbo: Reverted edits by DavidYoung (talk) to last revision by 200.38.30.1682012-08-25T21:29:57Z<p>Reverted edits by <a href="/index.php/Special:Contributions/DavidYoung" title="Special:Contributions/DavidYoung">DavidYoung</a> (<a href="/index.php?title=User_talk:DavidYoung&action=edit&redlink=1" class="new" title="User talk:DavidYoung (page does not exist)">talk</a>) to last revision by <a href="/index.php?title=User:200.38.30.168&action=edit&redlink=1" class="new" title="User:200.38.30.168 (page does not exist)">200.38.30.168</a></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 21:29, 25 August 2012</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">==Your DNS network design==</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">Ideally, the strongest layout consists of '''at least''' two DNS servers on two wholly separate networks -- separate physically and logically (different locations, different IP nets.) At least two, because really you'll probably want three -- two that people know about and one that people don't know about: your hidden master DNS server. So: make two slave DNS servers, point them to your authoritative nameserver, which for the sake of security should only allow updates TO your slaves and connections FROM your admin's IP addresses and the slave servers. If you can, make it a non-routeable address (10.0.0.0/8, 192.168/16, etc) that your slaves reach either directly or through a NAT'd firewall.</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">==Do Not Pass Go, Do Not Collect 200$, Go Directly to Jail==</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">Setting your DNS server inside a jail means that you're going to have a bit of a pain on the initial setup and install but you'll be that much more secure if your DNS server '''does''' get hacked. By placing just what it needs to run and nothing else in the jail, anyone that gets in will have a harder time doing anything with your server or to your network; no compilers means no binaries can be built on your system itself to give you a trojan: your would-be attackers would have to build the binaries somewhere else and copy them over and hope they work on your system. If you've got backups of your DNS data -- and you should, the slaves would essentially function as backups -- then even the dreaded '''rm -rf /''' inside your jail shouldn't be fatal: promote your slave to master for all your zones, '''rm -rf''' your jail directory and re-create it, make it a slave and copy your data over again by [[HUP]]'ing your server and you're good to go (you'll probably want to find out how they got in to do Bad Things so that it doesn't happen again, though).</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>== <del class="diffchange diffchange-inline">Mr. Happy Man </del>==</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>==<ins class="diffchange diffchange-inline">Don't run as root</ins>==</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">Make a dns account to run your nameserver from; block it from accessing the net over anything but UDP/TCP ports 53 (using [[ACL]]s or a firewall etc).</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">For six hours each day</del>, <del class="diffchange diffchange-inline">Bermudas Johnny Barnes stands at </del>a <del class="diffchange diffchange-inline">busy traffic intersection telling all who pass that he loves them. His delight </del>and <del class="diffchange diffchange-inline">sincerity are infectious, and the people </del>of <del class="diffchange diffchange-inline">the island love him back</del>. <del class="diffchange diffchange-inline">His service is </del>a <del class="diffchange diffchange-inline">simple reminder of the power of happiness </del>and <del class="diffchange diffchange-inline">loving</del>-<del class="diffchange diffchange-inline">kindness </del>to <del class="diffchange diffchange-inline">change any day for </del>the <del class="diffchange diffchange-inline">better</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">==Use Views==</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">Views are a feature of BIND 9</ins>, <ins class="diffchange diffchange-inline">essentially it boils down to keeping two sets of data for </ins>a <ins class="diffchange diffchange-inline">given zone </ins>and <ins class="diffchange diffchange-inline">setting an [[ACL]] for each </ins>of <ins class="diffchange diffchange-inline">them</ins>. <ins class="diffchange diffchange-inline">So that internally, your network has </ins>a <ins class="diffchange diffchange-inline">DNS server that has records for every machine you want -- every single networked printer, router, switch, workstation </ins>and <ins class="diffchange diffchange-inline">server, if you like </ins>-<ins class="diffchange diffchange-inline">- and externally, only what needs </ins>to <ins class="diffchange diffchange-inline">be accessible from </ins>the <ins class="diffchange diffchange-inline">world has a record.</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> </del>[[<del class="diffchange diffchange-inline">http://goodvillenews</del>.<del class="diffchange diffchange-inline">com/Mr-Happy-Man-VDrbVr</del>.<del class="diffchange diffchange-inline">html Mr</del>. <del class="diffchange diffchange-inline">Happy Man</del>]]</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">==Don't rely on just network security or just host security: use both==</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">Well, your network has a </ins>[[<ins class="diffchange diffchange-inline">bastion host]] and it's protecting the whole network, including your DNS server, so why worry, right? Right</ins>. <ins class="diffchange diffchange-inline">Maybe</ins>. <ins class="diffchange diffchange-inline">Or Maybe Wrong</ins>. <ins class="diffchange diffchange-inline">Maybe really wrong. In any case, better safe than sorry: recompile your FreeBSD kernel and include [[ipfw</ins>]] <ins class="diffchange diffchange-inline">in it and set your firewall rules to just what you need: UDP/TCP 53 (DNS), TCP 22 (SSH), and possibly your [[webmin]] management port for your networks.</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">[[http://goodvillenews</del>.<del class="diffchange diffchange-inline">com/wk.html GoodvilleNews.com - good</del>, <del class="diffchange diffchange-inline">positive news, inspirational stories, articles]]</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">==Poison is bad==</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">DNS cache poisoning is one of many REALLY good reasons not to keep running ancient and outdated DNS services (like the BIND4 that shipped on those Sun servers your organization insists on maintaining for at least 30 more years)</ins>. <ins class="diffchange diffchange-inline">It's a little complicated to follow if you aren't familiar with the ins and outs and quirks of DNS resolution</ins>, <ins class="diffchange diffchange-inline">but here's how it works:</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">== Guerilla Gardener Plants Joy in Potholes ==</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> # this is an example of a zone file a black hat would use to poison a victim's DNS cache.</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> # this file is being run by the black hat on his own machine, '''at IP address 1.2.3.4'''.</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> #</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> poisoner.tld.      IN SOA  ns.poisoner.tld hostmaster.poisoner.tld. (34; 10800; 3600; 604800; 10;)</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> </ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> poisoner.tld.      IN  NS  ns.victim.tld.  # this record tells anyone asking about poisoner.tld to go to ns.victim.tld</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> ns.victim.tld.    IN  A  1.2.3.4        # this record is the sneaky one - it "helpfully" tells them that the IP</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">                                            # address for ns1.victim.tld is THIS machine's IP address!</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">Theyre </del>the <del class="diffchange diffchange-inline">bane </del>of <del class="diffchange diffchange-inline">cyclists and motorists alike</del>, <del class="diffchange diffchange-inline">but one urban gardener has grown a fondness for potholes after deciding to spruce up cities around Europe by filling them up with miniature flower arrangements</del>. <del class="diffchange diffchange-inline">Australian Steve Wheen</del>, 34, <del class="diffchange diffchange-inline">who lives in London</del>, <del class="diffchange diffchange-inline">has been using flowers and small-scale objects to transform urban potholes for the last three years</del>. <del class="diffchange diffchange-inline">The self-styled guerrilla gardener has created mini gardens all around his home city but has now decided </del>to <del class="diffchange diffchange-inline">bring joy to commuters across Europe with his unusual pothole creations</del>.</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> # this is </ins>the <ins class="diffchange diffchange-inline">bogus version </ins>of <ins class="diffchange diffchange-inline">the victim.tld zone file which the black hat runs on the same</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> # server as the poison file</ins>, <ins class="diffchange diffchange-inline">above</ins>. <ins class="diffchange diffchange-inline"> After ns.victim.tld's cache is poisoned</ins>, <ins class="diffchange diffchange-inline">it will actually</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> # send users here instead of answering their queries itself!</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> #</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> victim.tld.        IN SOA  ns.victim.tld  hostmaster.victim.tld. (</ins>34<ins class="diffchange diffchange-inline">; 10800; 3600; 604800; 10;)</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> </ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> victim.tld.        IN  NS  ns.victim.tld.  # these two records simply say "yes</ins>, <ins class="diffchange diffchange-inline">I'll tell you all about victim.tld</ins>, <ins class="diffchange diffchange-inline">don't  </ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> ns</ins>.<ins class="diffchange diffchange-inline">victim.tld.    IN  A  1.2.3.4        # go anywhere else </ins>to <ins class="diffchange diffchange-inline">ask"</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> </ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> www</ins>.<ins class="diffchange diffchange-inline">victim.tld.    IN  A  1.2.3.5        # this is the IP address of a webpage chock full of spammy ads and malware</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> </del>[[<del class="diffchange diffchange-inline">http://goodvillenews</del>.<del class="diffchange diffchange-inline">com/Guerilla-Gardener</del>-<del class="diffchange diffchange-inline">Plants-Joy-in-Potholes-CnUGQR</del>.<del class="diffchange diffchange-inline">html Guerilla Gardener Plants Joy </del>in <del class="diffchange diffchange-inline">Potholes</del>]]</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">After the </ins>[[<ins class="diffchange diffchange-inline">black hat]] sets up his domain and the bogus zone files above on his own server, at IP address 1</ins>.<ins class="diffchange diffchange-inline">2.3.4, he asks the ''real'' nameserver for '''victim.tld''' to tell him what the IP address for '''www.poisoner.tld''' is.  Since it doesn't know, it asks '''ns.poisoner.tld''', which tells it that it needs to ask '''ns.victim.tld''' ''at the IP address 1.2.3.4'' for that information.  The victim caches that query result </ins>- <ins class="diffchange diffchange-inline">so from here on out, even though it ''is'' '''ns</ins>.<ins class="diffchange diffchange-inline">victim.tld''', if you ask it how to find '''ns.victim.tld''', it will respond with the [[black hat]]'s IP address, not its own.  And since the first step of client DNS resolution is to resolve the IP address of the [[authoritative nameserver]] for a domain, that further means that from here on out, any time anybody looks up ''any'' URL </ins>in <ins class="diffchange diffchange-inline">the victim.tld domain, they'll get sent to the [[black hat</ins>]]<ins class="diffchange diffchange-inline">'s nameserver - which will cheerfully send them to his own webpage full of ads and malware!</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">[[http://goodvillenews.com/wk.html GoodvilleNews.com - </del>good, <del class="diffchange diffchange-inline">positive </del>news, <del class="diffchange diffchange-inline">inspirational stories, articles</del>]]</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">The </ins>good <ins class="diffchange diffchange-inline">news is</ins>, <ins class="diffchange diffchange-inline">DNS cache poisoning has been fixed (by refusing to cache query results coming from servers that aren't actually authoritative for the results they are giving) in BIND since 1997.  The bad </ins>news <ins class="diffchange diffchange-inline">is</ins>, <ins class="diffchange diffchange-inline">enough people are still running ancient legacy DNS services that there are still plenty of [[black hat</ins>]]<ins class="diffchange diffchange-inline">s industriously trying to poison everything in sight just to see if it works.</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">== 5 Things You Can Do To Love Your Authentic Self More ==</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">Avoiding DNS cache poisoning is much simpler than understanding it: don't run outdated DNS services, make your authoritative servers non-recursive (don't let them answer questions about domains they aren't authoritative for), and wherever possible, limit public access to any caching DNS servers you run for you and/or your clients' benefit.</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">I had no idea that being your authentic self could make me as rich as Ive become. If I had</del>, <del class="diffchange diffchange-inline">Id have done it a lot earlier</del>. <del class="diffchange diffchange-inline">Oprah WinfreyIt can be easy </del>to <del class="diffchange diffchange-inline">love other people but its not always easy to love your authentic self, am I right?</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">To learn more about poisoning</ins>, <ins class="diffchange diffchange-inline">see Daniel J. Bernstein's article at http://cr.yp</ins>.to<ins class="diffchange diffchange-inline">/djbdns/notes.html#poison</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> [[</del>http://<del class="diffchange diffchange-inline">goodvillenews</del>.<del class="diffchange diffchange-inline">com</del>/<del class="diffchange diffchange-inline">5-Things-You-Can-Do-To-Love-Your-Authentic-Self-More-r2jcXE</del>.html <del class="diffchange diffchange-inline">5 Things You Can Do To Love Your Authentic Self More]]</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">To see if you can be poisoned, see </ins>http://<ins class="diffchange diffchange-inline">ketil</ins>.<ins class="diffchange diffchange-inline">froyn.name</ins>/<ins class="diffchange diffchange-inline">poison</ins>.html</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">[[http://goodvillenews.com/wk.html GoodvilleNews.com - good, positive news, inspirational stories, articles]]</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">== See Also ==</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">== Man Climbs Worlds 14 Tallest Peaks ==</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">[[BIND (installing)]], [[BIND (configuring)]], [[BIND (managing)]]</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">Hirotaka Takeuchi has gotten official certification for his feat of climbing the worlds 14 tallest mountains. Hes the 30th person ever and the first Japanese person to accomplish the feat.</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">==External Links==</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> </del>[[http://<del class="diffchange diffchange-inline">goodvillenews</del>.com/<del class="diffchange diffchange-inline">Man-Climbs-Worlds-14-Tallest-Peaks-f1nJlP</del>.html <del class="diffchange diffchange-inline">Man Climbs Worlds 14 Tallest Peaks</del>]]</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>[[http://<ins class="diffchange diffchange-inline">www.oreilly</ins>.com/<ins class="diffchange diffchange-inline">catalog/dns4/chapter/ch11</ins>.html <ins class="diffchange diffchange-inline">O'Reilly's BIND book's security chapter</ins>]]</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>[[http://<del class="diffchange diffchange-inline">goodvillenews</del>.com/<del class="diffchange diffchange-inline">wk</del>.html <del class="diffchange diffchange-inline">GoodvilleNews.com - good, positive news, inspirational stories, articles</del>]]</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>[[http://<ins class="diffchange diffchange-inline">www.boran</ins>.com/<ins class="diffchange diffchange-inline">security/sp/bind_hardening8</ins>.html <ins class="diffchange diffchange-inline">Hardening BIND 8</ins>]]</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">== Learning from the Wisdom of the Body ==</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">[[http://www.boran.com/security/sp/bind9_20010430.html Hardening BIND 9]]</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">"Its amazing that our interpretation of experiences can generate intense visceral responses</del>. <del class="diffchange diffchange-inline">The fact that we get goosebumps when we are inspired or afraid is one of many everyday indicators of just how deeply and intricately connected our minds and bodies are</del>. <del class="diffchange diffchange-inline">In fact, the mind and body are an intertwined whole -- and there is great wisdom in the totality of our mind-body experience</del>.  </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">[[http://www</ins>.<ins class="diffchange diffchange-inline">boran</ins>.<ins class="diffchange diffchange-inline">com/security/sp/chrooting_bind</ins>.<ins class="diffchange diffchange-inline">html Info on chroot'ing]]</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> </del>[[http://<del class="diffchange diffchange-inline">goodvillenews</del>.com/<del class="diffchange diffchange-inline">Learning-from-the-Wisdom-of-the-Body-lJQFSo.html Learning from the Wisdom of the Body]]</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>[[http://<ins class="diffchange diffchange-inline">sysadmin.oreilly</ins>.com/<ins class="diffchange diffchange-inline">news</ins>/<ins class="diffchange diffchange-inline">views_05 </ins>... <ins class="diffchange diffchange-inline">\n</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div> </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">[[http:</del>/<del class="diffchange diffchange-inline">/goodvillenews</del>.<del class="diffchange diffchange-inline">com/wk</del>.<del class="diffchange diffchange-inline">html GoodvilleNews</del>.<del class="diffchange diffchange-inline">com - good, positive news, inspirational stories, articles]]</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<!-- diff cache key bsdwiki:diff:version:1.11a:oldid:13072:newid:13296 -->
</table>Jimbohttp://www.freebsdwiki.net/index.php?title=BIND,_securing&diff=13072&oldid=prevDavidYoung: minor updates2012-08-12T20:07:08Z<p>minor updates</p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 20:07, 12 August 2012</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">==Your DNS network design==</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">Ideally, the strongest layout consists of '''at least''' two DNS servers on two wholly separate networks -- separate physically and logically (different locations, different IP nets.) At least two, because really you'll probably want three -- two that people know about and one that people don't know about: your hidden master DNS server. So: make two slave DNS servers, point them to your authoritative nameserver, which for the sake of security should only allow updates TO your slaves and connections FROM your admin's IP addresses and the slave servers. If you can, make it a non-routeable address (10.0.0.0/8, 192.168/16, etc) that your slaves reach either directly or through a NAT'd firewall.</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">==Do Not Pass Go, Do Not Collect 200$, Go Directly to Jail==</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">Setting your DNS server inside a jail means that you're going to have a bit of a pain on the initial setup and install but you'll be that much more secure if your DNS server '''does''' get hacked. By placing just what it needs to run and nothing else in the jail, anyone that gets in will have a harder time doing anything with your server or to your network; no compilers means no binaries can be built on your system itself to give you a trojan: your would-be attackers would have to build the binaries somewhere else and copy them over and hope they work on your system. If you've got backups of your DNS data -- and you should, the slaves would essentially function as backups -- then even the dreaded '''rm -rf /''' inside your jail shouldn't be fatal: promote your slave to master for all your zones, '''rm -rf''' your jail directory and re-create it, make it a slave and copy your data over again by [[HUP]]'ing your server and you're good to go (you'll probably want to find out how they got in to do Bad Things so that it doesn't happen again, though).</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>==<del class="diffchange diffchange-inline">Don't run as root</del>==</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>== <ins class="diffchange diffchange-inline">Mr. Happy Man </ins>==</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">Make a dns account to run your nameserver from; block it from accessing the net over anything but UDP/TCP ports 53 (using [[ACL]]s or a firewall etc).</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">==Use Views==</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">For six hours each day</ins>, <ins class="diffchange diffchange-inline">Bermudas Johnny Barnes stands at </ins>a <ins class="diffchange diffchange-inline">busy traffic intersection telling all who pass that he loves them. His delight </ins>and <ins class="diffchange diffchange-inline">sincerity are infectious, and the people </ins>of <ins class="diffchange diffchange-inline">the island love him back</ins>. <ins class="diffchange diffchange-inline">His service is </ins>a <ins class="diffchange diffchange-inline">simple reminder of the power of happiness </ins>and <ins class="diffchange diffchange-inline">loving</ins>-<ins class="diffchange diffchange-inline">kindness </ins>to <ins class="diffchange diffchange-inline">change any day for </ins>the <ins class="diffchange diffchange-inline">better</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">Views are a feature of BIND 9</del>, <del class="diffchange diffchange-inline">essentially it boils down to keeping two sets of data for </del>a <del class="diffchange diffchange-inline">given zone </del>and <del class="diffchange diffchange-inline">setting an [[ACL]] for each </del>of <del class="diffchange diffchange-inline">them</del>. <del class="diffchange diffchange-inline">So that internally, your network has </del>a <del class="diffchange diffchange-inline">DNS server that has records for every machine you want -- every single networked printer, router, switch, workstation </del>and <del class="diffchange diffchange-inline">server, if you like </del>-<del class="diffchange diffchange-inline">- and externally, only what needs </del>to <del class="diffchange diffchange-inline">be accessible from </del>the <del class="diffchange diffchange-inline">world has a record.</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">==Don't rely on just network security or just host security: use both==</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> </ins>[[<ins class="diffchange diffchange-inline">http://goodvillenews</ins>.<ins class="diffchange diffchange-inline">com/Mr-Happy-Man-VDrbVr</ins>.<ins class="diffchange diffchange-inline">html Mr</ins>. <ins class="diffchange diffchange-inline">Happy Man</ins>]]</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">Well, your network has a </del>[[<del class="diffchange diffchange-inline">bastion host]] and it's protecting the whole network, including your DNS server, so why worry, right? Right</del>. <del class="diffchange diffchange-inline">Maybe</del>. <del class="diffchange diffchange-inline">Or Maybe Wrong</del>. <del class="diffchange diffchange-inline">Maybe really wrong. In any case, better safe than sorry: recompile your FreeBSD kernel and include [[ipfw</del>]] <del class="diffchange diffchange-inline">in it and set your firewall rules to just what you need: UDP/TCP 53 (DNS), TCP 22 (SSH), and possibly your [[webmin]] management port for your networks.</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">==Poison is bad==</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">[[http://goodvillenews</ins>.<ins class="diffchange diffchange-inline">com/wk.html GoodvilleNews.com - good</ins>, <ins class="diffchange diffchange-inline">positive news, inspirational stories, articles]]</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">DNS cache poisoning is one of many REALLY good reasons not to keep running ancient and outdated DNS services (like the BIND4 that shipped on those Sun servers your organization insists on maintaining for at least 30 more years)</del>. <del class="diffchange diffchange-inline">It's a little complicated to follow if you aren't familiar with the ins and outs and quirks of DNS resolution</del>, <del class="diffchange diffchange-inline">but here's how it works:</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> # this is an example of a zone file a black hat would use to poison a victim's DNS cache.</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">== Guerilla Gardener Plants Joy in Potholes ==</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> # this file is being run by the black hat on his own machine, '''at IP address 1.2.3.4'''.</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> #</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> poisoner.tld.      IN SOA  ns.poisoner.tld hostmaster.poisoner.tld. (34; 10800; 3600; 604800; 10;)</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> </del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> poisoner.tld.      IN  NS  ns.victim.tld.  # this record tells anyone asking about poisoner.tld to go to ns.victim.tld</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> ns.victim.tld.    IN  A  1.2.3.4        # this record is the sneaky one - it "helpfully" tells them that the IP</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">                                            # address for ns1.victim.tld is THIS machine's IP address!</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> # this is </del>the <del class="diffchange diffchange-inline">bogus version </del>of <del class="diffchange diffchange-inline">the victim.tld zone file which the black hat runs on the same</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">Theyre </ins>the <ins class="diffchange diffchange-inline">bane </ins>of <ins class="diffchange diffchange-inline">cyclists and motorists alike</ins>, <ins class="diffchange diffchange-inline">but one urban gardener has grown a fondness for potholes after deciding to spruce up cities around Europe by filling them up with miniature flower arrangements</ins>. <ins class="diffchange diffchange-inline">Australian Steve Wheen</ins>, 34, <ins class="diffchange diffchange-inline">who lives in London</ins>, <ins class="diffchange diffchange-inline">has been using flowers and small-scale objects to transform urban potholes for the last three years</ins>. <ins class="diffchange diffchange-inline">The self-styled guerrilla gardener has created mini gardens all around his home city but has now decided </ins>to <ins class="diffchange diffchange-inline">bring joy to commuters across Europe with his unusual pothole creations</ins>.</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> # server as the poison file</del>, <del class="diffchange diffchange-inline">above</del>. <del class="diffchange diffchange-inline"> After ns.victim.tld's cache is poisoned</del>, <del class="diffchange diffchange-inline">it will actually</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> # send users here instead of answering their queries itself!</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> #</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> victim.tld.        IN SOA  ns.victim.tld  hostmaster.victim.tld. (</del>34<del class="diffchange diffchange-inline">; 10800; 3600; 604800; 10;)</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> </del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> victim.tld.        IN  NS  ns.victim.tld.  # these two records simply say "yes</del>, <del class="diffchange diffchange-inline">I'll tell you all about victim.tld</del>, <del class="diffchange diffchange-inline">don't  </del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> ns</del>.<del class="diffchange diffchange-inline">victim.tld.    IN  A  1.2.3.4        # go anywhere else </del>to <del class="diffchange diffchange-inline">ask"</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> </del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> www</del>.<del class="diffchange diffchange-inline">victim.tld.    IN  A  1.2.3.5        # this is the IP address of a webpage chock full of spammy ads and malware</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">After the </del>[[<del class="diffchange diffchange-inline">black hat]] sets up his domain and the bogus zone files above on his own server, at IP address 1</del>.<del class="diffchange diffchange-inline">2.3.4, he asks the ''real'' nameserver for '''victim.tld''' to tell him what the IP address for '''www.poisoner.tld''' is.  Since it doesn't know, it asks '''ns.poisoner.tld''', which tells it that it needs to ask '''ns.victim.tld''' ''at the IP address 1.2.3.4'' for that information.  The victim caches that query result </del>- <del class="diffchange diffchange-inline">so from here on out, even though it ''is'' '''ns</del>.<del class="diffchange diffchange-inline">victim.tld''', if you ask it how to find '''ns.victim.tld''', it will respond with the [[black hat]]'s IP address, not its own.  And since the first step of client DNS resolution is to resolve the IP address of the [[authoritative nameserver]] for a domain, that further means that from here on out, any time anybody looks up ''any'' URL </del>in <del class="diffchange diffchange-inline">the victim.tld domain, they'll get sent to the [[black hat</del>]]<del class="diffchange diffchange-inline">'s nameserver - which will cheerfully send them to his own webpage full of ads and malware!</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> </ins>[[<ins class="diffchange diffchange-inline">http://goodvillenews</ins>.<ins class="diffchange diffchange-inline">com/Guerilla-Gardener</ins>-<ins class="diffchange diffchange-inline">Plants-Joy-in-Potholes-CnUGQR</ins>.<ins class="diffchange diffchange-inline">html Guerilla Gardener Plants Joy </ins>in <ins class="diffchange diffchange-inline">Potholes</ins>]]</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">The </del>good <del class="diffchange diffchange-inline">news is</del>, <del class="diffchange diffchange-inline">DNS cache poisoning has been fixed (by refusing to cache query results coming from servers that aren't actually authoritative for the results they are giving) in BIND since 1997.  The bad </del>news <del class="diffchange diffchange-inline">is</del>, <del class="diffchange diffchange-inline">enough people are still running ancient legacy DNS services that there are still plenty of [[black hat</del>]]<del class="diffchange diffchange-inline">s industriously trying to poison everything in sight just to see if it works.</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">[[http://goodvillenews.com/wk.html GoodvilleNews.com - </ins>good, <ins class="diffchange diffchange-inline">positive </ins>news, <ins class="diffchange diffchange-inline">inspirational stories, articles</ins>]]</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">Avoiding DNS cache poisoning is much simpler than understanding it: don't run outdated DNS services, make your authoritative servers non-recursive (don't let them answer questions about domains they aren't authoritative for), and wherever possible, limit public access to any caching DNS servers you run for you and/or your clients' benefit.</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">== 5 Things You Can Do To Love Your Authentic Self More ==</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">To learn more about poisoning</del>, <del class="diffchange diffchange-inline">see Daniel J. Bernstein's article at http://cr.yp</del>.to<del class="diffchange diffchange-inline">/djbdns/notes.html#poison</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">I had no idea that being your authentic self could make me as rich as Ive become. If I had</ins>, <ins class="diffchange diffchange-inline">Id have done it a lot earlier</ins>. <ins class="diffchange diffchange-inline">Oprah WinfreyIt can be easy </ins>to <ins class="diffchange diffchange-inline">love other people but its not always easy to love your authentic self, am I right?</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">To see if you can be poisoned, see </del>http://<del class="diffchange diffchange-inline">ketil</del>.<del class="diffchange diffchange-inline">froyn.name</del>/<del class="diffchange diffchange-inline">poison</del>.html</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> [[</ins>http://<ins class="diffchange diffchange-inline">goodvillenews</ins>.<ins class="diffchange diffchange-inline">com</ins>/<ins class="diffchange diffchange-inline">5-Things-You-Can-Do-To-Love-Your-Authentic-Self-More-r2jcXE</ins>.html <ins class="diffchange diffchange-inline">5 Things You Can Do To Love Your Authentic Self More]]</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">== See Also ==</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">[[http://goodvillenews.com/wk.html GoodvilleNews.com - good, positive news, inspirational stories, articles]]</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">[[BIND (installing)]], [[BIND (configuring)]], [[BIND (managing)]]</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">== Man Climbs Worlds 14 Tallest Peaks ==</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">==External Links==</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">Hirotaka Takeuchi has gotten official certification for his feat of climbing the worlds 14 tallest mountains. Hes the 30th person ever and the first Japanese person to accomplish the feat.</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>[[http://<del class="diffchange diffchange-inline">www.oreilly</del>.com/<del class="diffchange diffchange-inline">catalog/dns4/chapter/ch11</del>.html <del class="diffchange diffchange-inline">O'Reilly's BIND book's security chapter</del>]]</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> </ins>[[http://<ins class="diffchange diffchange-inline">goodvillenews</ins>.com/<ins class="diffchange diffchange-inline">Man-Climbs-Worlds-14-Tallest-Peaks-f1nJlP</ins>.html <ins class="diffchange diffchange-inline">Man Climbs Worlds 14 Tallest Peaks</ins>]]</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>[[http://<del class="diffchange diffchange-inline">www.boran</del>.com/<del class="diffchange diffchange-inline">security/sp/bind_hardening8</del>.html <del class="diffchange diffchange-inline">Hardening BIND 8</del>]]</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>[[http://<ins class="diffchange diffchange-inline">goodvillenews</ins>.com/<ins class="diffchange diffchange-inline">wk</ins>.html <ins class="diffchange diffchange-inline">GoodvilleNews.com - good, positive news, inspirational stories, articles</ins>]]</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">[[http://www.boran.com/security/sp/bind9_20010430.html Hardening BIND 9]]</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">== Learning from the Wisdom of the Body ==</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">[[http://www</del>.<del class="diffchange diffchange-inline">boran</del>.<del class="diffchange diffchange-inline">com/security/sp/chrooting_bind</del>.<del class="diffchange diffchange-inline">html Info on chroot'ing]]</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">"Its amazing that our interpretation of experiences can generate intense visceral responses</ins>. <ins class="diffchange diffchange-inline">The fact that we get goosebumps when we are inspired or afraid is one of many everyday indicators of just how deeply and intricately connected our minds and bodies are</ins>. <ins class="diffchange diffchange-inline">In fact, the mind and body are an intertwined whole -- and there is great wisdom in the totality of our mind-body experience</ins>.  </div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>[[http://<del class="diffchange diffchange-inline">sysadmin.oreilly</del>.com/<del class="diffchange diffchange-inline">news</del>/<del class="diffchange diffchange-inline">views_05 </del>... <del class="diffchange diffchange-inline">\n</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> </ins>[[http://<ins class="diffchange diffchange-inline">goodvillenews</ins>.com/<ins class="diffchange diffchange-inline">Learning-from-the-Wisdom-of-the-Body-lJQFSo.html Learning from the Wisdom of the Body]]</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">[[http:</ins>/<ins class="diffchange diffchange-inline">/goodvillenews</ins>.<ins class="diffchange diffchange-inline">com/wk</ins>.<ins class="diffchange diffchange-inline">html GoodvilleNews</ins>.<ins class="diffchange diffchange-inline">com - good, positive news, inspirational stories, articles]]</ins></div></td></tr>
<!-- diff cache key bsdwiki:diff:version:1.11a:oldid:12971:newid:13072 -->
</table>DavidYounghttp://www.freebsdwiki.net/index.php?title=BIND,_securing&diff=12971&oldid=prev200.38.30.168: Remove spam about goodville from user DavidYoung.2012-08-06T00:14:51Z<p>Remove spam about goodville from user DavidYoung.</p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 00:14, 6 August 2012</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 62:</td>
<td colspan="2" class="diff-lineno">Line 62:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[http://sysadmin.oreilly.com/news/views_05 ... \n</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[http://sysadmin.oreilly.com/news/views_05 ... \n</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">== Journey to the End of the Earth ==</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">I realized quickly, after just having traveled to various villages in rural India, that distance is relative. Hailing from a city like San Francisco, going even a few hours outside of town is far but twelve hours outside of a major city? I half expected to run into another country.</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"> [[http://goodvillenews.com/Journey-to-the-End-of-the-Earth-tbNql3.html Journey to the End of the Earth]]</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">[[http://goodvillenews.com/wk.html GoodvilleNews.com - good, positive news, inspirational stories, articles]]</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">== What Ive Learned About Learning ==</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">We learn more by looking for the answer to a question and not finding it than we do from learning the answer itself. ~Lloyd AlexanderI am a teacher and an avid learner, and Im passionate about both.Im a teacher because I help Eva homeschool our kids OK, she does most of the work, but I do help, mostly with math but with everything else too.</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"> [[http://goodvillenews.com/What-Ive-Learned-About-Learning-I45BZI.html What Ive Learned About Learning]]</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">[[http://goodvillenews.com/wk.html GoodvilleNews.com - good, positive news, inspirational stories, articles]]</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">== Researchers Nurture Innovative Biofuel Crops in Israels Desert ==</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">Fears of global warming and its impact on our environment have left scientists scrambling to decrease levels of atmospheric carbon we humans produce. Now, Tel Aviv University researchers are doing their part to reduce humanitys carbon footprint by successfully growing forests in the most unlikely place deep in Israels Aravah Desert.</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"> [[http://goodvillenews.com/Researchers-Nurture-Innovative-Biofuel-Crops-in-Israels-Dese-DJR.html Researchers Nurture Innovative Biofuel Crops in Israels Desert]]</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">[[http://goodvillenews.com/wk.html GoodvilleNews.com - good, positive news, inspirational stories, articles]]</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">== How To Let Go of Insecurities 7 Steps To Build Your Confidence ==</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">Self-worth comes from one thing thinking that you are worthy. Wayne DyerIts okay to have insecurities, we all do and its crucial for us to observe and understand the impact these insecurities have on the quality of our lives.</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"> [[http://goodvillenews.com/How-To-Let-Go-of-Insecurities-7-Steps-To-Build-Your-Confiden-APt.html How To Let Go of Insecurities 7 Steps To Build Your Confidence]]</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">[[http://goodvillenews.com/wk.html GoodvilleNews.com - good, positive news, inspirational stories, articles]]</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">== A Bicycle Nomad Prepares for Re-entry ==</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">In 2010, Manjula Martin and her partner set out to see the world the old-fashioned way: by bicycle. With little money, no itinerary, gadgets or training, they traversed five countries and 3,500 miles and discovered a world filled with generosity. In this article, Manjula Martin describes the transition from bike to home with four rules for re-entry that are strikingly authentic, grounded, and universal. </del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"> [[http://goodvillenews.com/A-Bicycle-Nomad-Prepares-for-Re-entry-S6sLCO.html A Bicycle Nomad Prepares for Re-entry]]</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">[[http://goodvillenews.com/wk.html GoodvilleNews.com - good, positive news, inspirational stories, articles]]</del></div></td><td colspan="2"> </td></tr>
<!-- diff cache key bsdwiki:diff:version:1.11a:oldid:12960:newid:12971 -->
</table>200.38.30.168http://www.freebsdwiki.net/index.php?title=BIND,_securing&diff=12960&oldid=prevDavidYoung: minor updates2012-08-02T10:16:17Z<p>minor updates</p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 10:16, 2 August 2012</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 61:</td>
<td colspan="2" class="diff-lineno">Line 61:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[http://www.boran.com/security/sp/chrooting_bind.html Info on chroot'ing]]</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[http://www.boran.com/security/sp/chrooting_bind.html Info on chroot'ing]]</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>[[http://sysadmin.oreilly.com/news/<del class="diffchange diffchange-inline">views_0501</del>.<del class="diffchange diffchange-inline">html Implementing Views in BIND 9, by Cricket Liu]]</del>. <del class="diffchange diffchange-inline">Thumbing through O'Reilly's DNS & BIND book is highly recommended -- Cricket Liu quite literally wrote the book on DNS</del>.</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>[[http://sysadmin.oreilly.com/news/<ins class="diffchange diffchange-inline">views_05 </ins>... <ins class="diffchange diffchange-inline">\n</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>[[<del class="diffchange diffchange-inline">Category</del>:<del class="diffchange diffchange-inline">Ports </del>and <del class="diffchange diffchange-inline">Packages</del>]]</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">== Journey to the End of the Earth ==</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>[[<del class="diffchange diffchange-inline">Category</del>:<del class="diffchange diffchange-inline">Configuring FreeBSD</del>]]</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>[[<del class="diffchange diffchange-inline">Category</del>:<del class="diffchange diffchange-inline">Securing FreeBSD</del>]]</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">I realized quickly, after just having traveled to various villages in rural India, that distance is relative. Hailing from a city like San Francisco, going even a few hours outside of town is far but twelve hours outside of a major city? I half expected to run into another country.</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>[[<del class="diffchange diffchange-inline">Category</del>:<del class="diffchange diffchange-inline">DNS</del>]]</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> </ins>[[<ins class="diffchange diffchange-inline">http</ins>:<ins class="diffchange diffchange-inline">//goodvillenews.com/Journey-to-the-End-of-the-Earth-tbNql3.html Journey to the End of the Earth]]</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">[[http://goodvillenews.com/wk.html GoodvilleNews.com - good, positive news, inspirational stories, articles]]</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">== What Ive Learned About Learning ==</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">We learn more by looking for the answer to a question </ins>and <ins class="diffchange diffchange-inline">not finding it than we do from learning the answer itself. ~Lloyd AlexanderI am a teacher and an avid learner, and Im passionate about both.Im a teacher because I help Eva homeschool our kids OK, she does most of the work, but I do help, mostly with math but with everything else too.</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> [[http://goodvillenews.com/What-Ive-Learned-About-Learning-I45BZI.html What Ive Learned About Learning</ins>]]</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>[[<ins class="diffchange diffchange-inline">http</ins>:<ins class="diffchange diffchange-inline">//goodvillenews.com/wk.html GoodvilleNews.com - good, positive news, inspirational stories, articles</ins>]]</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">== Researchers Nurture Innovative Biofuel Crops in Israels Desert ==</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">Fears of global warming and its impact on our environment have left scientists scrambling to decrease levels of atmospheric carbon we humans produce. Now, Tel Aviv University researchers are doing their part to reduce humanitys carbon footprint by successfully growing forests in the most unlikely place deep in Israels Aravah Desert.</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> </ins>[[<ins class="diffchange diffchange-inline">http</ins>:<ins class="diffchange diffchange-inline">//goodvillenews.com/Researchers-Nurture-Innovative-Biofuel-Crops-in-Israels-Dese-DJR.html Researchers Nurture Innovative Biofuel Crops in Israels Desert</ins>]]</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">[[http://goodvillenews.com/wk.html GoodvilleNews.com - good, positive news, inspirational stories, articles]]</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">== How To Let Go of Insecurities 7 Steps To Build Your Confidence ==</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">Self-worth comes from one thing thinking that you are worthy. Wayne DyerIts okay to have insecurities, we all do and its crucial for us to observe and understand the impact these insecurities have on the quality of our lives.</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> [[http://goodvillenews.com/How-To-Let-Go-of-Insecurities-7-Steps-To-Build-Your-Confiden-APt.html How To Let Go of Insecurities 7 Steps To Build Your Confidence]]</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">[[http://goodvillenews.com/wk.html GoodvilleNews.com - good, positive news, inspirational stories, articles]]</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">== A Bicycle Nomad Prepares for Re-entry ==</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">In 2010, Manjula Martin and her partner set out to see the world the old-fashioned way: by bicycle. With little money, no itinerary, gadgets or training, they traversed five countries and 3,500 miles and discovered a world filled with generosity. In this article, Manjula Martin describes the transition from bike to home with four rules for re-entry that are strikingly authentic, grounded, and universal. </ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> [[http://goodvillenews.com/A-Bicycle-Nomad-Prepares-for-Re-entry-S6sLCO.html A Bicycle Nomad Prepares for Re-entry]]</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>[[<ins class="diffchange diffchange-inline">http</ins>:<ins class="diffchange diffchange-inline">//goodvillenews.com/wk.html GoodvilleNews.com - good, positive news, inspirational stories, articles</ins>]]</div></td></tr>
</table>DavidYounghttp://www.freebsdwiki.net/index.php?title=BIND,_securing&diff=8531&oldid=prevJimbo: BIND (securing) moved to BIND, securing2007-06-21T18:18:30Z<p><a href="/index.php/BIND_(securing)" class="mw-redirect" title="BIND (securing)">BIND (securing)</a> moved to <a href="/index.php/BIND,_securing" title="BIND, securing">BIND, securing</a></p>
<table class='diff diff-contentalign-left'>
<tr valign='top'>
<td colspan='1' style="background-color: white; color:black;">← Older revision</td>
<td colspan='1' style="background-color: white; color:black;">Revision as of 18:18, 21 June 2007</td>
</tr></table>Jimbohttp://www.freebsdwiki.net/index.php?title=BIND,_securing&diff=8521&oldid=prevJimbo at 18:14, 21 June 20072007-06-21T18:14:57Z<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 18:14, 21 June 2007</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 66:</td>
<td colspan="2" class="diff-lineno">Line 66:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[Category:Configuring FreeBSD]]</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[Category:Configuring FreeBSD]]</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[Category:Securing FreeBSD]]</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[Category:Securing FreeBSD]]</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">[[Category:DNS]]</ins></div></td></tr>
</table>Jimbohttp://www.freebsdwiki.net/index.php?title=BIND,_securing&diff=8513&oldid=prevJimbo at 18:08, 21 June 20072007-06-21T18:08:26Z<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 18:08, 21 June 2007</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 35:</td>
<td colspan="2" class="diff-lineno">Line 35:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>  ns.victim.tld.    IN  A  1.2.3.4        # go anywhere else to ask"</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>  ns.victim.tld.    IN  A  1.2.3.4        # go anywhere else to ask"</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>   </div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>   </div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>  www.victim.tld.    IN  A  1.2.3.5        # this is the IP address of a webpage chock full of <del class="diffchange diffchange-inline">porn and drug banner </del>ads</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>  www.victim.tld.    IN  A  1.2.3.5        # this is the IP address of a webpage chock full of <ins class="diffchange diffchange-inline">spammy </ins>ads <ins class="diffchange diffchange-inline">and malware</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>After the [[black hat]] sets up his domain and the bogus zone files above on his own server, at IP address 1.2.3.4, he asks the ''real'' nameserver for '''victim.tld''' to tell him what the IP address for '''www.poisoner.tld''' is.  Since it doesn't know, it asks '''ns.poisoner.tld''', which tells it that it needs to ask '''ns.victim.tld''' ''at the IP address 1.2.3.4'' for that information.  The victim caches that query result - so from here on out, even though it ''is'' '''ns.victim.tld''', if you ask it how to find '''ns.victim.tld''', it will respond with the [[black hat]]'s IP address, not its own.  And since the first step of client DNS resolution is to resolve the IP address of the [[authoritative nameserver]] for a domain, that further means that from here on out, any time anybody looks up ''any'' URL in the victim.tld domain, they'll get sent to the [[black hat]]'s nameserver - which will cheerfully send them to his own webpage full of <del class="diffchange diffchange-inline">porn, banner </del>ads<del class="diffchange diffchange-inline">, </del>and malware!</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>After the [[black hat]] sets up his domain and the bogus zone files above on his own server, at IP address 1.2.3.4, he asks the ''real'' nameserver for '''victim.tld''' to tell him what the IP address for '''www.poisoner.tld''' is.  Since it doesn't know, it asks '''ns.poisoner.tld''', which tells it that it needs to ask '''ns.victim.tld''' ''at the IP address 1.2.3.4'' for that information.  The victim caches that query result - so from here on out, even though it ''is'' '''ns.victim.tld''', if you ask it how to find '''ns.victim.tld''', it will respond with the [[black hat]]'s IP address, not its own.  And since the first step of client DNS resolution is to resolve the IP address of the [[authoritative nameserver]] for a domain, that further means that from here on out, any time anybody looks up ''any'' URL in the victim.tld domain, they'll get sent to the [[black hat]]'s nameserver - which will cheerfully send them to his own webpage full of ads and malware!</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>The good news is, DNS cache poisoning has been fixed (by refusing to cache query results coming from servers that aren't actually authoritative for the results they are giving) in BIND since 1997.  The bad news is, enough people are still running ancient legacy DNS services that there are still plenty of [[black hat]]s industriously trying to poison everything in sight just to see if it works.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>The good news is, DNS cache poisoning has been fixed (by refusing to cache query results coming from servers that aren't actually authoritative for the results they are giving) in BIND since 1997.  The bad news is, enough people are still running ancient legacy DNS services that there are still plenty of [[black hat]]s industriously trying to poison everything in sight just to see if it works.</div></td></tr>
<tr><td colspan="2" class="diff-lineno">Line 46:</td>
<td colspan="2" class="diff-lineno">Line 46:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>To see if you can be poisoned, see http://ketil.froyn.name/poison.html</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>To see if you can be poisoned, see http://ketil.froyn.name/poison.html</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">== See Also ==</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">[[BIND (installing)]], [[BIND (configuring)]], [[BIND (managing)]]</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>==External Links==</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>==External Links==</div></td></tr>
<tr><td colspan="2" class="diff-lineno">Line 58:</td>
<td colspan="2" class="diff-lineno">Line 62:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[http://sysadmin.oreilly.com/news/views_0501.html Implementing Views in BIND 9, by Cricket Liu]]. Thumbing through O'Reilly's DNS & BIND book is highly recommended -- Cricket Liu quite literally wrote the book on DNS.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[http://sysadmin.oreilly.com/news/views_0501.html Implementing Views in BIND 9, by Cricket Liu]]. Thumbing through O'Reilly's DNS & BIND book is highly recommended -- Cricket Liu quite literally wrote the book on DNS.</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">[[BIND (installing)]]</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">[[BIND (configuring)]]</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">[[BIND (managing)]]</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[Category:Ports and Packages]]</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[Category:Ports and Packages]]</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[Category:Configuring FreeBSD]]</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[Category:Configuring FreeBSD]]</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[Category:Securing FreeBSD]]</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[Category:Securing FreeBSD]]</div></td></tr>
</table>Jimbohttp://www.freebsdwiki.net/index.php?title=BIND,_securing&diff=6504&oldid=prevNinereasons: common misspelling2006-05-23T23:23:50Z<p>common misspelling</p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 23:23, 23 May 2006</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>==Your DNS network design==</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>==Your DNS network design==</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>Ideally, the strongest layout consists of '''at least''' two DNS servers on two wholly separate networks -- <del class="diffchange diffchange-inline">seperate </del>physically and logically (different locations, different IP nets.) At least two, because really you'll probably want three -- two that people know about and one that people don't know about: your hidden master DNS server. So: make two slave DNS servers, point them to your authoritative nameserver, which for the sake of security should only allow updates TO your slaves and connections FROM your admin's IP addresses and the slave servers. If you can, make it a non-routeable address (10.0.0.0/8, 192.168/16, etc) that your slaves reach either directly or through a NAT'd firewall.</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>Ideally, the strongest layout consists of '''at least''' two DNS servers on two wholly separate networks -- <ins class="diffchange diffchange-inline">separate </ins>physically and logically (different locations, different IP nets.) At least two, because really you'll probably want three -- two that people know about and one that people don't know about: your hidden master DNS server. So: make two slave DNS servers, point them to your authoritative nameserver, which for the sake of security should only allow updates TO your slaves and connections FROM your admin's IP addresses and the slave servers. If you can, make it a non-routeable address (10.0.0.0/8, 192.168/16, etc) that your slaves reach either directly or through a NAT'd firewall.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>==Do Not Pass Go, Do Not Collect 200$, Go Directly to Jail==</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>==Do Not Pass Go, Do Not Collect 200$, Go Directly to Jail==</div></td></tr>
</table>Ninereasonshttp://www.freebsdwiki.net/index.php?title=BIND,_securing&diff=6503&oldid=prevNinereasons: common misspelling2006-05-23T23:22:44Z<p>common misspelling</p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 23:22, 23 May 2006</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>==Your DNS network design==</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>==Your DNS network design==</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>Ideally, the strongest layout consists of '''at least''' two DNS servers on two wholly <del class="diffchange diffchange-inline">seperate </del>networks -- seperate physically and logically (different locations, different IP nets.) At least two, because really you'll probably want three -- two that people know about and one that people don't know about: your hidden master DNS server. So: make two slave DNS servers, point them to your authoritative nameserver, which for the sake of security should only allow updates TO your slaves and connections FROM your admin's IP addresses and the slave servers. If you can, make it a non-routeable address (10.0.0.0/8, 192.168/16, etc) that your slaves reach either directly or through a NAT'd firewall.</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>Ideally, the strongest layout consists of '''at least''' two DNS servers on two wholly <ins class="diffchange diffchange-inline">separate </ins>networks -- seperate physically and logically (different locations, different IP nets.) At least two, because really you'll probably want three -- two that people know about and one that people don't know about: your hidden master DNS server. So: make two slave DNS servers, point them to your authoritative nameserver, which for the sake of security should only allow updates TO your slaves and connections FROM your admin's IP addresses and the slave servers. If you can, make it a non-routeable address (10.0.0.0/8, 192.168/16, etc) that your slaves reach either directly or through a NAT'd firewall.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>==Do Not Pass Go, Do Not Collect 200$, Go Directly to Jail==</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>==Do Not Pass Go, Do Not Collect 200$, Go Directly to Jail==</div></td></tr>
</table>Ninereasons