Re: Securing bind..
[ The quoted email is dated last December... I hope nobody minds me ]
[ reviving the conversation. I'm catching up on a few mail groups. ]
>>>>> "Russell" == Russell Coker <russell@coker.com.au> writes:
Russell> On Sun, 30 Dec 2001 16:17, Jor-el wrote:
>> On Sun, 30 Dec 2001, Russell Coker wrote:
>> > Also don't allow recursion from outside machines.
>>
>> Why does this help?
Russell> When someone sends a recursive query to your server then they know (with a
Russell> good degree of accuracy) what requests are going to be made by that server
Russell> and what responses will be expected. So you can send a recursive query for
Russell> www.microsoft.com, then send a dozen packets appearing to be responses from
Russell> the Microsoft DNS servers giving an IP address of one of your servers. While
Russell> you're at it you make sure that the false packets you sent had long TTL
Russell> entries so that they stay in the cache for a while. Then suddenly you have
Russell> all clients of that DNS server thinking that the MS servers are on your IP
Russell> addresses (with lots of potential for abuse).
{Internal network}----[firewall/gateway router]-+----{Internet}
|
+---[Nameserver]
The nameserver is configured to allow recursive queries only from
hosts coming from inside, through the firewall/gateway router (Linux
2.4 w/iptables). What if someone on the internal network trys to
poison the DNS like this? They could be a student on a school
network, a contract employee, a misbehaving full timer, or whatever.
To prevent that, you should have some sort of egress filtering on
the firewall router, to prevent DNS replies (spoofed) from being
sent out through the gateway.
That still does not prevent them from logging into an outside host
they own -- their home computer, a co-located machine someplace out
on the net -- and sending the spoofed responses from there.
My question is; is this scenario possible, and is there any way to
prevent it from occuring?
Russell> Recursive requests go to port 53 (getting a DNS client to even talk to
Russell> another port is difficult or impossible depending on the client).
Russell> iptables/ipchains blocks access to port 53 from untrusted IPs (IE everything
Russell> outside your LAN or dialup pool).
But then how will anyone on the network access your domain's primary
name server?
Russell> Bind will not be expecting any data other than replies to it's requests on
Russell> port 54 (the port that is open to the outside world) so even if you screw up
Russell> in your configuration of bind to not allow recursion from the outside world
Russell> you're still protected.
But it's an inside job. By an expert. How do I win the chess game
then?
Russell> Smart people NEVER rely on only one layer of protection if they can avoid it.
And they never rely solely on their OWN knowledge and experience.
--
mailto: (Karl M. Hegbloom) karlheg@microsharp.com
Free the Software http://www.debian.org/social_contract
http://www.microsharp.com
phone://USA/WA/360-260-2066
Reply to: