彼岸、花未開
*DNS服务器端检测方法:
本文主要探讨的是BIND服务器,以下实验针对的对象为Solaris10上安装的BIND9服务(Version: 9.2.4),
检查DNS缓存中毒的方法
。BIND服务器端检测方式有两种:通过query来辨认异常或是通过查看CACHE的记录来辨认异常。
1)通过query来辨认异常
本功能需要开启BIND的日志审计功能,首先通过rndc命令确认是否已开启日志审计功能:
-bash-3.00# rndc status
number of zones: 6
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF <--这里的OFF代表目前还没开启query日志审计功能
server is up and running
下一步是开启query记录:
-bash-3.00# rndc querylog <--此命令为query记录的开关命令
再查看一下状态^_^
-bash-3.00# rndc status
number of zones: 6
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is ON <--这里的ON代表目前已开启query日志审计功能
server is up and running
来到这一步还需要编辑一下BIND的配置文件named.conf:
-bash-3.00# vi /etc/named.conf
加入以下审计配置内容块:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
logging {
channel audit_log {
file "named.log" versions 3 size 20m;
severity info;
print-time yes;
print-category yes;
};
category default { audit_log; };
category general { audit_log; };
category security { audit_log; };
category config { audit_log; };
category resolver { audit_log; };
category xfer-in { audit_log; };
category xfer-out { audit_log; };
category notify { audit_log; };
category client { audit_log; };
category network { audit_log; };
category update { audit_log; };
category queries { audit_log; };
category lame-servers { audit_log; };
category database { audit_log; };
};
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
*注:其实只需要激活“category queries { audit_log; };”就可以了,不过为了保证日志内容的全面性,所以...
最后重新启动named:
-bash-3.00# /etc/init.d/named restart
现在我们就可以直接通过tail来查看日志了:
-bash-3.00# tail -f /var/named/named.log
其中可能包含很多类似以下的query记录:
Aug 06 02:27:29.364 queries: client 192.168.20.197#13939: query: demonalex.3322.org IN A
Aug 06 02:27:30.406 queries: client 192.168.20.197#13940: query: demonalex.3322.org IN A
Aug 06 02:27:30.994 queries: client 192.168.20.197#13941: query: demonalex.3322.org IN A
Aug 06 02:27:31.529 queries: client 192.168.20.197#13942: query: demonalex.3322.org IN A
Aug 06 02:27:32.043 queries: client 192.168.20.197#13943: query: demonalex.3322.org IN A
Aug 06 02:27:32.554 queries: client 192.168.20.197#13944: query: demonalex.3322.org IN A
Aug 06 02:27:33.034 queries: client 192.168.20.197#13945: query: demonalex.3322.org IN A
Aug 06 02:27:33.511 queries: client 192.168.20.197#13946: query: demonalex.3322.org IN A
Aug 06 02:27:33.972 queries: client 192.168.20.197#13947: query: demonalex.3322.org IN A
Aug 06 02:27:34.436 queries: client 192.168.20.197#13948: query: demonalex.3322.org IN A
若发现大量‘查询内容相同,且源端口连贯(“#”号后为源端口)’的记录,则可能是DNS缓存中毒的先兆,
电脑资料
《检查DNS缓存中毒的方法》(https://www.unjs.com)。但此时不宜太早下定论,再看看下一种检查方法吧:)
2)通过查看CACHE的记录辨认异常
BIND本身不提供直接查看CACHE的功能,但我们可以通过rndc命令把CACHE给DUMP下来。当怀疑BIND服务端存在DNS缓存
中毒时,可以通过以下方式进行检查:
-bash-3.00# rndc dumpdb
-bash-3.00# cat /var/named/named_dump.db
在named_dump.db这个文本文件里包含目前BIND所‘知道’的DNS记录,不过我们主要关注的是客户端查询的记录,如:
=========================================================================
; authanswer
demonalex.3322.org. 54 A 219.137.123.41
=========================================================================
我们可以通过nslookup等命令切换到其它DNS服务器中,对以上相关记录进行查询,确认该BIND是否已被缓存中毒攻击
了。
*DNS客户端检测方法:
客户端检测方法具体需要视操作系统类型而定。若是WINDOWS系统,可以把网卡中的DNS服务器设置为‘怀疑被缓存中
毒攻击’的DNS服务器,然后通过ipconfig检查当前主机的DNS缓存:
ipconfig /displaydns
,或是通过nslookup等命令进行实时检查;若是UNIX/LINUX系统,在默认没有安装nscd服务的情况下是不会具备DNS缓
存功能的,因此只能通过nslookup等命令进行实时检查了。
*参考资料:
candon123所写的《rhel5中配置DNS服务器的日志》,原URL:
http://candon123.blog.51cto.com/704299/141616
邹福泰所写的《DNS的缓存中毒(cache poison)问题分析及建议》,原URL:
html">http://hi.baidu.com/zoufutai/blog/item/1b380ffb56ee9f156d22eb0b.html
yfhe所写的《BIND9详解之日志篇》,原URL:
http://www.chinaunix.net/jh/16/212998.html