Allow BIND DNS Queries from external networks

Folks,
If you have ever configured ISC BIND DNS in your machines locally and the application is not replying you with the required DNS response then this post is for you. This post will tell how to do a basic troubleshoot if you face such issues. Some couple of days back, I was in need to check DNS version so I crafted my own packet to fetch the installed BIND DNS version (in one of my vmware) but I was coming across with an error that the remote DNS Server is refusing my connection even though my crafted packet was legitimate and was not based on any hack attempts. You can just write a simple program in python (or any programming language) to send the DNS request and fetch the DNS version but make sure that the socket object you are creating is based on UDP as DNS works in UDP. For your brevity, I have attached the packet traces as well so that it will help you to figure out the issue exactly. You may go through the packet trace if you have knowledge in using Wireshark. In the packet trace file, go through the Packet No.2 and under DNS protocol category navigate to the Flags field and you will see that (Reply code 05) is mentioned which defines that the target DNS Server refused the request which you sent. Then I did some debugging on solving this issue and finally I came back with its right solution. There was a problem with the default DNS configuration and DNS saves its configuration in named.conf under /etc. If you open that file, then you will come across with a entry “allow-query” and its value is defined as “localhost;” so I changed that entry to “any” so that it will accept any DNS Queries from any host rather than sticking to allow localhost requests only. Once you are done with the modifications, restart named daemon (named daemon points to DNS Service) and you are ready to roll! Below is the method on how to restart the DNS daemon and confirm everything went well.

$ sudo service named restart
$ netstat -anup | grep 53 # To make sure that DNS Service is running in Port 53 (UDP).

NOTE: DNS Information are very very sensitive and may cause extreme security breach. So be careful while changing the settings as a simple DNS Information can get you in trouble and can help the remote attacker to compromise your system as well!!! First make sure what settings you are changing and how it can impact your system if that configuration change is left open!

Now, when you make any DNS Queries from external hosts, then in response you will see that DNS Server is replying with the required information rather than blocking your query. For confirmation I have attached a sample packet trace which will show that I got the response for my sent packet which is fetching me the remote BIND DNS Version running on the target host.

Packet trace (DNS Request refused/accepted by remote BIND DNS Server): Download here

Even though this post won’t help everyone but I hope for some people it will help for sure.

If it really helps then please, do drop suggestions/feedback if you have any as it gives more encouragement. ;-)

Enjoy!
XyluX

Leave a comment | Trackback
Feb 28th, 2010 | Posted in Security
No comments yet.

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
RSS for comments on this post