Bind9 Redirects All Queries: Fix a Compromised DNS Server

G5 Cyber Security

1 week ago

TL;DR

Your Bind9 DNS server is sending all requests to the same IP address, likely due to malicious configuration changes. This guide will help you identify and remove those changes, restoring normal operation.

1. Stop the Bind9 Service

Before making any changes, stop the Bind9 service to prevent further incorrect resolutions. The command varies depending on your system:

Systemd (most modern Linux distributions):

sudo systemctl stop bind9

SysVinit (older Linux distributions):

sudo service bind9 stop

2. Check the Zone Files

The most common cause is a modified zone file. Look for suspicious entries, especially in your forward and reverse lookup zones.

Forward Lookup Zones: These map domain names to IP addresses (e.g., example.com to 192.0.2.1). The files are usually located in /etc/bind/zones/ or similar.
Reverse Lookup Zones: These map IP addresses to domain names (e.g., 192.0.2.1 to host.example.com).

Use a text editor like nano or vim to inspect the files. Look for:

All A records pointing to the same IP address.
Unexpected NS (nameserver) and SOA (start of authority) records.

sudo nano /etc/bind/zones/db.example.com

Example of a suspicious entry:

@       IN      A       192.0.2.1

3. Restore Zone Files from Backup

If you have backups, this is the easiest and safest way to recover. Restore your zone files from a known good backup.

Copy the backed-up files back to their original locations (e.g., /etc/bind/zones/).
Ensure the file permissions are correct (usually owned by root:bind and with permissions 640 or similar).

4. Examine the Named Configuration File

The main Bind9 configuration file, usually named named.conf.local or named.conf.options, might contain incorrect forwarders or other settings causing the redirection.

sudo nano /etc/bind/named.conf.local

Look for a forwarders {} block. If it’s present and contains an unexpected IP address, remove or comment out that line:

// forwarders { 192.0.2.1; };

5. Check the `rndc-key` File

The `rndc-key` file contains keys used to control Bind9 remotely. A compromised server might have a rogue key allowing unauthorized changes.

Locate the `rndc-key` file (usually in /etc/bind/).
Check its permissions and ownership. It should be owned by root:bind with restrictive permissions (e.g., 600).

If you suspect compromise, regenerate the key:

sudo rndc-keygen -a HMAC-MD5 -b 128 -n default -c default

Then update your `named.conf.options` file to use the new key.

6. Review System Logs

Examine Bind9’s logs for clues about the changes. Look for errors, warnings, or unusual activity around the time of the problem.

Common log locations: /var/log/syslog, /var/log/messages, /var/log/bind9/

sudo tail -f /var/log/syslog | grep bind9

7. Restart the Bind9 Service

After making changes, restart the service to apply them.

sudo systemctl start bind9

8. Verify Correct Resolution

Use dig or nslookup to verify that queries are resolving correctly.

dig example.com

nslookup example.com

If the problem persists, double-check your configuration files and logs. Consider running a security scan on your server to identify any other potential compromises.