Index: [Article Count Order] [Thread]

Date:  Fri, 7 Nov 2008 10:52:41 -0800
From:  "Ken Marcus - Precision Web Hosting, Inc." <kenmarcus (at mark)>
Subject:  [coba-e:14277] Re: Cache snooping attacks, bind
To:  <coba-e (at mark)>
Cc:  <brian (at mark)>
Message-Id:  <C8374F0143A34A7EB0E269FE54BE12F4@OfficeKen>
References:  <490F2542.3040509 (at mark)> <491029C1.30503 (at mark)> <49142FC2.4050303 (at mark)>
X-Mail-Count: 14277

----- Original Message ----- 
From: "Brian Rahill" <brian (at mark)>
To: <coba-e (at mark)>
Sent: Friday, November 07, 2008 4:08 AM
Subject: [coba-e:14275] Re: Cache snooping attacks, bind

>I am reposting to see if anyone can help. Can BIND be upgraded to 
> 9.4.1-P1 without issue/conflict with the GUI?
> We really need the 'allow-query-cache' option to maintain PCI compliance 
> and this is not available until the 9.4.1-P1 release.
> Thanks,
> Brian


All you need to do is not allow recursion for IPs outside your network. 

For example my /var/named/chroot/etc/named.conf      begins with:

options {
  directory "/var/named";
  // spoof version for a little more security via obscurity
  version "100.102.105";
  forwarders {;;};
  // zone transfer access denied
  allow-transfer {;; };
  allow-recursion {;; };
  // recursion allowed

Ken Marcus
Ecommerce Web Hosting by
Precision Web Hosting, Inc.