| SYSTEM INFORMATION | |
|---|---|
| OS type and version | Debian 11 |
| Webmin version | 2.202 |
| Virtualmin version | 7.20.2 Pro |
| Webserver version | Apache version 2.4.62 |
| Related packages | BIND version 9.16.50 |
| THE PROBLEM FOR ME: | |
| My IP Changed Over a week ago been doing everything I normally do. The glue records I’ve updated 5 days ago to a new IP for my name servers for the main domain. |
Dig Returns the following:
; <<>> DiG 9.16.50-Debian <<>> hostihave.host.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 59030
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 22 (No Reachable Authority): (at delegation hostihave.host.)
;; QUESTION SECTION:
;hostihave.host. IN A
;; Query time: 44 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sat Nov 02 21:11:02 CDT 2024
;; MSG SIZE rcvd: 80
Upon looking at my bind configuration the configuration bind local had old IP’s I had listed in the configuration file not sure if this is normal they were external ip’s two old ones I used to have. The config file looked something like this:
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "domain1.com" {
type master;
file "/var/lib/bind/domain1.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
211.23.3.44;
};
};
zone "domain2.com" {
type master;
file "/var/lib/bind/domain2.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
211.23.3.44;
};
};
zone "domain3.com" {
type master;
file "/var/lib/bind/domain3.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
211.23.3.44;
};
};
zone "domain4.com" {
type master;
file "/var/lib/bind/domain4.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
219.23.45.31
};
};
I am unsure of the configuration I don’t recall adding these IP’s to these configs.
Maybe this is normal and somehow they are added to bind?
I have removed all IP addresses from this bind configuration that were external and saved the file as they are NOT my current IP.
Maybe there was some odd DNS attack I was unaware of ?
All I know is I’ve tried nearly everything to get the server up and running and I’ve had nothing but trouble doing so.
One other thing that I have done is I’ve added SSL to all the services maybe this is the problem and I need to undo this from the main domain as it wasn’t added before?
And I’ve changed the address of all of the servers to match my new external IP. So that everything matches with glue records set at Domain Name Service Provider.
I’ve never had this much trouble getting DNS to update after an IP change so I’m curious if there is something that I am missing. I’ve provided as much info as I have.
Other things I have done is purged cache at google and cloudflare the 2 DNS servers I am using as well localdns is also listed. so 192.168.1.1 and 1.1.1.1 and 8.8.8.8 are all listed on the server maybe the local shouldn’t be listed IDK.
I’ve also tried to lower TTL times to all different numbers of seconds. The Default is 3600. I tried 3, 30, 1600.
ASIDE QUESTION FOR BINDDNS SERVER SECURITY:
Why isn’t cloudmin updated image repo to include newer images like deb12 instead of deb11 in order to have to Bind 9.4 or later? Curious thing youd think this would be a simple task add new safe secure images to cloudmin repo is drag and drop isn’t it? Best would be in place upgrade scripts to upgrade from deb11 to deb12 as an option to use at your own risk backup first. Unless these are modified images don’t get what’s the difficulty with adding newer images and removing outdated insecure ones? I know there are issues with bind attacks that were referenced prior 9.4 below is an example of how they were fixed not sure if it can be implemented in this version though?
How can you avoid this attack? In bind 9, there is a new feature called view, where you can limit the actions to ip ranges. Let’s see an example:
view “external” {
match-clients { any; };
recursion no;
zone “example.com” {
type master;
file “/etc/bind/externals/db.example.com”;
allow-transfer { slaves; };
};
};
This configuration only allows to answer queries for example.com zone. Since the recursion no directive is set, it also defaults the allow-query-cache {none;};, which denies access to the cache server. You can use this with bind 9.4 and newer.