Resetting BIND serial numberResetting BIND serial number
Quick steps:
1. Take the serial number you would like to use and add 2,147,483,647.
2. If the result is over 4,294,967,295, subtract 4,294,967,296. Otherwise, use
the value from step 1.
3. Set the serial number on the master server to this value.
4. Send BIND a SIGHUP on the master server.
5. Verify that all slaves have transferred the new serial number.
dig @slave_name_server DNS_zone soa
6. Change the serial number on the master server to the value you would like to
use.
7. Send BIND a SIGHUP on the master server.
More detail:
One of our administrators inadvertenly added an extra digit to the serial number
in one of our DNS zones. He meant to use "2002111801" as the serial number, but
instead used "20021114801." This number is actually not a valid serial number,
as serial numbers can only be 32-bit unsigned integers with a maximum value of
4,294,967,295. BIND stores the inadvertent serial number as 2841245617 to comply
with the 32-bit limitation.
The first thing I'll check is to see if our slaves have the updated SOA record.
dig DNS_zone ns
For each of the DNS name server (NS) records returned, perform an SOA record
query to see the zone's serial number.
dig @name_server DNS_zone soa
I can see that the slave servers have performed a zone transfer with the new
(incorrect) serial number. The new value I want to use is 2002111802. The old
value we are using is 2841245617. To get the new value, we take the old value
and add 2,147,483,647.
2841245617 + 2147483647 = 4988729264
If the result is over 4,294,967,295 (the largest 32-bit value), you subtract
4,294,967,296. Otherwise, use the value in the addition step above.
4988729264 - 4294967296 = 693761968
Set the serial number on the master server to this value (693761968) and send
the named process a SIGHUP. BIND will send a DNS NOTIFY message to the slaves,
informing them that the master zone data has changed. The slaves will then
compare the master's serial number against their own copy of the zone data, and
will perform a zone transfer.
Once the slaves complete the zone transfer of the new serial number (verify with
dig @slave_name_server DNS_zone soa), change the serial number on the master and
send a SIGHUP.
The slaves will perform a zone transfer using the correct serial number
(2002111802).
Note: if you administer all the slave servers, you could remove the zone data
from the slave servers, update the master's serial number, and send the master
server's named process a SIGHUP.
For more information, see pages 152-153 of O'Reilly's DNS and BIND 4th Edition.
Last modified: 03/04/2003
(
geocities.com/hackermuda/exploits) (
geocities.com/hackermuda)