Date:  Fri, 7 Nov 2008 10:52:41 -0800
From:  "Ken Marcus - Precision Web Hosting, Inc." <kenmarcus (at mark) precisionweb.net>
Subject:  [coba-e:14277] Re: Cache snooping attacks, bind
To:  <coba-e (at mark) bluequartz.org>
Cc:  <brian (at mark) rainstormconsulting.com>
Message-Id:  <C8374F0143A34A7EB0E269FE54BE12F4@OfficeKen>
References:  <490F2542.3040509 (at mark) rainstormconsulting.com> <491029C1.30503 (at mark) dogsbody.org> <49142FC2.4050303 (at mark) rainstormconsulting.com>
X-Mail-Count: 14277


----- Original Message ----- 
From: "Brian Rahill" <brian (at mark) rainstormconsulting.com>
To: <coba-e (at mark) bluequartz.org>
Sent: Friday, November 07, 2008 4:08 AM
Subject: [coba-e:14275] Re: Cache snooping attacks, bind


>I am reposting to see if anyone can help. Can BIND be upgraded to 
> 9.4.1-P1 without issue/conflict with the GUI?
> 
> We really need the 'allow-query-cache' option to maintain PCI compliance 
> and this is not available until the 9.4.1-P1 release.
> 
> Thanks,
> 
> Brian



Brian

All you need to do is not allow recursion for IPs outside your network. 

For example my /var/named/chroot/etc/named.conf      begins with:

options {
  directory "/var/named";
  // spoof version for a little more security via obscurity
  version "100.102.105";
  forwarders { 209.112.247.138; 209.112.247.143;};
  // zone transfer access denied
  allow-transfer { 209.112.247.0/24; 127.0.0.0/24; };
  allow-recursion { 209.112.247.0/24; 127.0.0.0/24; };
  // recursion allowed
};






----
Ken Marcus
Ecommerce Web Hosting by
Precision Web Hosting, Inc.
http://www.precisionweb.net