Entries (RSS)  |  Comments (RSS)

Bogons!

Are you a systems adminstrator, and do you run BIND DNS servers? If so, you should be using the Secure BIND Template written by Team Cmryu. I’ve been using it for many years to lock down our production DNS servers.

Their document provides a great starting point for BIND server configuraiton, with a current, updated list of unallocated Internet networks, commonly referred to as Bogons.

Why should do you care about Bogons?

Forged Internet traffic, coming from illegal, unallocated space can be used to harm your servers and pollute your DNS cache. It’s nonsensical to ever see traffic from these addresses and it’s best to just set up some Bogon Filtering to block it.

If you use the Bogon list to block traffic before it reaches your servers (either by inserting the Bogon list as a deny-all ACL, BGP black hole route, or DNS ACL Blackhole), you can stop this problem before it starts.

You have to be careful, though; If you use the static list from the Cmyru site in a configuration somewhere (say, named.conf), and you fail to update it on a regular basis, legtimate users could be blocked from your site when the IANA (or other regional network centers) decide to release a new allocation into the wild.  Conversely, you may allow illegitimate traffic into your network if the network centers revoke an allocation.

This happened to our site today when customers pulling images from the Panther CDN (in the 77.0.0.0/8 netblock) saw broken images on our site. I’d forgotten to update our Bogon list (it was two years old) and Panther couldn’t resolve the origin servers which delivered our content into the CDN. The problem was nearly impossible to find and required working with support and staring at tcpdumps for hours.

Many arguments with management, Panther Support, Sales reps, and coworkers later, we fixed it, and I came up with this short script to prevent us from using a bad Bogon list. A future version of this will auto-update /etc/named.conf on our name servers during our daily update push.

I give you, BogonChecker

#!/bin/sh
#
# Go get the bogon list from cymru once a day and find out if something has changed.
#
# Currently in cronjob at 0800 hours
#
# J. Adams 2/2008
#

URL=http://www.cymru.com/Documents/bogon-bn.html

wget $URL -O /root/bogon-bn.html -o /dev/null

# first time through? if so, nothing to do yet, check it tomorrow.
if [ ! -f /root/bogon-bn-last.html ]; then
mv /root/bogon-bn.html /root/bogon-bn-last.html
exit
fi

diff /root/bogon-bn.html /root/bogon-bn-last.html > /dev/null

if [ $? != 0 ]; then

mail xxxx@xxxxx.com -s ‘Cymru Bogon List has Changed!’ <

— This is an automated messagge from xxxx.xxxx.xxxx —

WARNING!

The bogon list at $URL
has changed!

Manually Update the DNS ACL in /etc/named/named.conf and
/etc/named.conf-secondary on ns3 as soon as possible to match the
current Bogon Listing, else newly allocated networks may not be able
to reach our sites!

Once you’ve updated it, log into shadow, and move /root/bogon-bn.html
to /root/bogon-bn-last.html to make this warning go away.

This is not a joke. A bogon is a section of Internet address space
which is unallocated by IANA and should not be routable. Keeping this
list updated ensures Internet connectivity.

ZZEOFZZ

fi

This entry was posted on Wednesday, February 6th, 2008 at 3:07 pm and is filed under systems administration. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

blog comments powered by Disqus