Re: Securing bind..

To: jorel@austin.rr.com, Jor-el <jorel@trillian.megadodo.umb>, debian-security@lists.debian.org
Cc: debian-user@lists.debian.org, debian-isp@lists.debian.org
Subject: Re: Securing bind..
From: Russell Coker <russell@coker.com.au>
Date: Sun, 30 Dec 2001 22:39:50 +0100
Message-id: <[🔎] 20011230213950.7484D3762A6@lyta.coker.com.au>
Reply-to: Russell Coker <russell@coker.com.au>
In-reply-to: <[🔎] Pine.LNX.3.96.1011230091206.4175A-100000@trillian>
References: <[🔎] Pine.LNX.3.96.1011230091206.4175A-100000@trillian>

On Sun, 30 Dec 2001 16:17, Jor-el wrote:
> On Sun, 30 Dec 2001, Russell Coker wrote:
> > Also don't allow recursion from outside machines.
>
> Why does this help?

When someone sends a recursive query to your server then they know (with a 
good degree of accuracy) what requests are going to be made by that server 
and what responses will be expected.  So you can send a recursive query for 
www.microsoft.com, then send a dozen packets appearing to be responses from 
the Microsoft DNS servers giving an IP address of one of your servers.  While 
you're at it you make sure that the false packets you sent had long TTL 
entries so that they stay in the cache for a while.  Then suddenly you have 
all clients of that DNS server thinking that the MS servers are on your IP 
addresses (with lots of potential for abuse).

Another issue is that if at some future time a bug is discovered in bind that 
results in a security hole when doing recursion then you want to only be 
vulnerable to your own network (who you can hunt down if they abuse it) 
rather than the rest of the world.

> > Another possibility is to have the port for outgoing connections be
> > something other than 53 (54 seems unused) and use iptables or ipchains to
> > block data from the outside world coming to port 53.
>
> 	Security through obscurity? Quite frankly, I find this strategy

Please read my messages carefully before flaming me.

DNS cache machine sents out requests from source port 54 (not obscure - every 
administrator of every DNS server on the net can easily discover this).

Recursive requests go to port 53 (getting a DNS client to even talk to 
another port is difficult or impossible depending on the client).

iptables/ipchains blocks access to port 53 from untrusted IPs (IE everything 
outside your LAN or dialup pool).

Bind will not be expecting any data other than replies to it's requests on 
port 54 (the port that is open to the outside world) so even if you screw up 
in your configuration of bind to not allow recursion from the outside world 
you're still protected.

Smart people NEVER rely on only one layer of protection if they can avoid it.

-- 
http://www.coker.com.au/bonnie++/     Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/       Postal SMTP/POP benchmark
http://www.coker.com.au/projects.html Projects I am working on
http://www.coker.com.au/~russell/     My home page

Reply to:

Follow-Ups:
- Re: Securing bind..
  - From: Jor-el <jorel@trillian.megadodo.umb>
- Re: Securing bind..
  - From: Thomas Seyrat <thomas@glou.net>

References:
- Re: Securing bind..
  - From: Jor-el <jorel@trillian.megadodo.umb>

Prev by Date: Re: Securing bind..
Next by Date: Re: Securing bind..
Previous by thread: Re: Securing bind..
Next by thread: Re: Securing bind..
Index(es):
- Date
- Thread