Wednesday, March 17, 2010

BIND, Security and PCI Compliance

I get to go through some of the fun known commonly as PCI Compliance. PCI Compliance is a good thing on the whole, nevertheless, it is time consuming. Today I spent time on my DNS server. I use BIND, the open source name server that is very popular across the net.

Upon a PCI scan I got this warning: "Bind Banner." It was a result of my system telling the world what version it is running. This could help a would-be hacker determine if my system is old and if it is vulnerable to certain security holes.

To tighten it up a bit, I made some edits in my config file at /etc/named.conf

At the end of the "options" section of named.conf, I added these lines:

dnssec-enable no;
version none;
hostname none;

This disables or hides the display of the version number, the BIND hostname and disables DNSSEC (which PCI scans tell me is dangerous, even though it is intended for security).

Now, to check to make sure your BIND version is hidden (be sure to restart BIND, first), enter this into the bash command line:

dig -t txt -c chaos VERSION.BIND @myhostname.com

If you want some protection against an easy DoS target, add this to your "external" view in named.conf:

additional-from-auth no;
additional-from-cache no;

"recursion no;" should be in there already and this will prevent your server from being an open DNS server for the world. These extra lines above will go a step further and prevent the display of root name servers for external queries. While this is just your DNS server trying to be helpful, your server should just ignore all external queries that are for domains you don't serve. (More info here.)

PS. Looking for a list of all the available options in BIND? Here is a good one, although there is not a lot of description, it does look complete.

No comments: