Manuals / Apple / Kitchen Appliance / Frozen Dessert Maker

Apple 034-2351_Cvr DNS Service Profiling, Denial-of-ServiceDoS, To alter BIND’s version response

Models: 034-2351_Cvr

1 97

Download 97 pages 56.32 Kb

Page 31

With a copy of your master zone, the hacker can see what kinds of services a domain offers, and the IP address of the servers that offer them. He or she can then try specific attacks based on those services. This is reconnaissance before another attack.

To defend against this attack, you need to specify which IP addresses are allowed to request zone transfers (your slave zone servers) and disallow all others. Zone transfers are accomplished over TCP on port 53. The method of limiting zone transfers is blocking zone transfer requests from anyone but your slave DNS servers.

To specify zone transfer IP addresses:

mCreate a firewall filter that allows only IP addresses inside your firewall to access TCP port 53.

Follow the instructions in “Creating an Advanced IP Filter for TCP ports” in Chapter 3, “IP Firewall Service.” Use the following settings:

•Allow packet.

•Port 53.

•TCP protocol.

•Source IP is the IP address of your slave DNS server.

•Destination IP is the IP address of your master DNS server.

DNS Service Profiling

Another common reconnaissance technique used by malicious users is to profile your DNS Service. First a hacker makes a BIND version request. The server will report what version of BIND is running. He or she then compares the response to known exploits and vulnerabilities for that version of BIND.

To defend against this attack, you can configure BIND to respond with something other than what it is.

To alter BIND’s version response:

1Launch a command-line text editor (like vi, emacs, or pico).

2Open named.conf for editing.

3Add the following to the “options” brackets of the configuration file.

version

"[your text, maybe ‘we're not telling!’]";

4Save the config file.

Denial-of-Service (DoS)

This kind of attack is very common and easy to do. A hacker sends so many service requests and queries that a server uses all of its processing power and network bandwidth to try and respond. The hacker prevents legitimate use of the service by overloading it.

Chapter 2 DNS Service

31

Image 31

Apple 034-2351_Cvr manual DNS Service Profiling, Denial-of-ServiceDoS, To specify zone transfer IP addresses

Contents

For Version 10.3 or Later Mac OS X Server Network Services Administration2003 Apple Computer, Inc. All rights reserved Apple Computer, Inc034-2351/9-20-03 Setting Up Mac OS X Server for the First Time ContentsHow to Use This Guide Using This GuideVPN Service NAT ServiceConfiguring NAT Service Monitoring NAT ServicePreface How to Use This GuideUsing This Guide What’s Included in This GuideGetting Help for Everyday Management Tasks Setting Up Mac OS X Server for the First TimeGetting Additional Information Before You Set Up DHCP Service DHCP ServiceLocating the DHCP Server Using Static IP AddressesCreating Subnets Assigning IP Addresses DynamicallyAssigning Reserved IP Addresses Setting Up DHCP Service for the First TimeUsing Multiple DHCP Servers on a Network Interacting With Other DHCP ServersStep 2 Set up logs for DHCP service Managing DHCP ServiceStarting and Stopping DHCP Service Creating Subnets in DHCP ServiceTo change subnet settings Changing Subnet Settings in DHCP ServiceTo delete subnets or address ranges Deleting Subnets From DHCP ServiceSetting the DNS Server for a DHCP Subnet Changing IP Address Lease Times for a SubnetSetting WINS Options for a Subnet Setting LDAP Options for a SubnetTo set LDAP options for a subnet Viewing the DHCP Status Overview Monitoring DHCP ServiceTo disable a subnet Disabling Subnets TemporarilyViewing the DHCP Client List Setting the Log Detail Level for DHCP ServiceTo set up the log detail level Viewing DHCP Log EntriesWhere to Find More Information DNS Service DNS and BIND Before You Set Up DNS ServiceSetting Up DNS Service for the First Time Setting Up Multiple Name ServersStep 2 Learn and plan Step 4 Create a DNS Zone Step 3 Configure basic DNS settingsStep 6 Set up a mail exchange MX record optional Step 8 Start DNS serviceTo enable or disable zone transfer Managing DNS ServiceStarting and Stopping DNS Service To start or stop DNS serviceMaster To enable or disable recursionManaging Zones Adding a Master ZoneTo add a master zone Adding a Slave ZoneTo add a slave zone To duplicate a zone Adding a Forward ZoneDuplicating a Zone To add a forward zoneTo modify a zone Managing RecordsModifying a Zone Deleting a ZoneTo add a record Adding a Record to a ZoneTo delete a record Modifying a Record in a ZoneDeleting a Record From a Zone To modify a recordTo view DNS service activity Viewing DNS Service StatusViewing DNS Service Activity To view DNS service statusTo change the log detail level Changing DNS Log File LocationViewing DNS Usage Statistics To change the log detail levelTo see DNS usage statistics Securing the DNS ServerDNS Spoofing Server MiningTo alter BIND’s version response DNS Service ProfilingDenial-of-ServiceDoS To specify zone transfer IP addressesoptions Service Piggybackingallow-recursion 127.0.0.0/8 Setting Up MX Records To enable MX records Configuring DNS for Mail ServiceEnabling Redundant Mail Servers To enable backup or redundant mail servers Setting Up Namespace Behind a NAT RouterNetwork Load Distribution aka Round Robin Setting Up a Private TCP/IP NetworkWhat Is BIND? Configuring BIND Using the Command LineZone Data Files BIND Configuration FileBIND on Mac OS X Server Practical ExampleTo set up the sample files Setting Up Sample Configuration FilesConfiguring Clients Check Your Configuration Using DNS With Dynamically Assigned IP AddressesWhere to Find More Information Request For Comment DocumentsPage IP Firewall Service Chapter 3 IP Firewall Service Subnet Mask What is a Filter?Understanding Firewall Filters IP AddressCorresponds to Netmask Chapter 3 IP Firewall ServiceNumber of addresses CIDRSample Using Address RangesRule Mechanism and Precedence Multiple IP AddressesStep 4 Add filters to the IP filter list Setting Up Firewall Service for the First TimeStep 2 Start firewall service Step 1 Learn and planStep 5 Save firewall service changes Managing Firewall ServiceStarting and Stopping Firewall Service Opening the Firewall for Standard ServicesCreating an Address Group To open the firewall for standard servicesTo create an address group To edit or delete an address group Editing or Deleting an Address GroupDuplicating an Address Group Creating an Advanced IP Filter for TCP portsTo create an IP filter for TCP ports Creating an Advanced IP Filter for UDP PortsTo create an IP filter for UDP ports To edit advanced IP filters Changing the Default FilterTo change the Default setting Editing Advanced IP FiltersTo view the log for firewall service Monitoring Firewall ServiceSetting Up Logs for Firewall Service To set up logsTo view denied packets Viewing Denied PacketsViewing Packets Logged by Filter Rules Log ExampleTo do this Block Access to Internet UsersPractical Examples Block Junk MailTo do this Allow a Customer to Access the Apple File ServerTo do this To prevent ping denial-of-serviceattacks Preventing Denial-of-ServiceDoS AttacksControlling or Enabling Peer-to-PeerNetwork Usage Controlling or Enabling Network Game Usage Advanced ConfigurationBackground Creating IP Filter Rules Using ipfw PrecautionsRule number Reviewing IP Filter RulesCreating IP Filter Rules Chapter 3 IP Firewall ServiceDeleting IP Filter Rules Port ReferenceReference Chapter 3 IP Firewall ServiceTCP port Used forReference Chapter 3 IP Firewall ServiceTCP port Used forman ipfw For more information about ipfwWhere to Find More Information Request For Comment DocumentsStarting and Stopping NAT Service NAT ServiceTo start NAT service Viewing the NAT Status Overview Configuring NAT ServiceMonitoring NAT Service To configure NAT serviceRequest For Comment Documents To view the NAT divert logFor more information about natd Where to Find More InformationPage VPN Service Point to Point Tunneling Protocol PPTP Authentication MethodVPN and Security Transport ProtocolsEnabling and Configuring L2TP Transport Protocol Before You Set Up VPN ServiceManaging VPN Service Starting or Stopping VPN ServiceTo enable L2TP Enabling and Configuring PPTP Transport ProtocolTo enable PPTP To configure addition network settings Configuring VPN Network Routing DefinitionsTo set routing definitions To set up the log archive interval Monitoring VPN ServiceSetting the Log Detail Level for VPN Service Setting the VPN Log Archive IntervalTo view client connections Viewing the VPN LogViewing VPN Client Connections To view the logPage How NTP Works NTP ServiceSetting Up NTP Service Using NTP on Your NetworkTo set up NTP service Request For Comment Documents Configuring NTP on ClientsTo configure NTP on clients Where to Find More InformationPage IPv6 Support Notation IPv6 Enabled ServicesIPv6 Addresses in the Server Admin IPv6 AddressesIPv6 Addressing Model IPv6 Reserved AddressesIPv6 Address Types Request For Comment Documents Where to Find More InformationGlossary GlossaryGlossary LDAP Lightweight Directory Access Protocol A standard client-serverprotocol for accessing a directory domain name server See DNS Domain Name System search path See search policy UCE unsolicited commercial email See spam Page Page Index IndexIndex Index