Re: Securing bind..

To: Russell Coker <russell@coker.com.au>
Cc: jorel@austin.rr.com, Jor-el <jorel@trillian.megadodo.umb>, debian-security@lists.debian.org, debian-user@lists.debian.org, debian-isp@lists.debian.org
Subject: Re: Securing bind..
From: karlheg@microsharp.com (Karl M. Hegbloom)
Date: 06 Mar 2002 10:04:57 -0800
Message-id: <[🔎] 87y9h5h8s6.fsf@juniper.intra.microsharp.com>
In-reply-to: <20011230213950.7484D3762A6@lyta.coker.com.au>
References: <Pine.LNX.3.96.1011230091206.4175A-100000@trillian> <20011230213950.7484D3762A6@lyta.coker.com.au>

 [ The quoted email is dated last December... I hope nobody minds me ]
 [ reviving the conversation.  I'm catching up on a few mail groups. ]

>>>>> "Russell" == Russell Coker <russell@coker.com.au> writes:

    Russell> On Sun, 30 Dec 2001 16:17, Jor-el wrote:
    >> On Sun, 30 Dec 2001, Russell Coker wrote:
    >> > Also don't allow recursion from outside machines.
    >> 
    >> Why does this help?

    Russell> When someone sends a recursive query to your server then they know (with a 
    Russell> good degree of accuracy) what requests are going to be made by that server 
    Russell> and what responses will be expected.  So you can send a recursive query for 
    Russell> www.microsoft.com, then send a dozen packets appearing to be responses from 
    Russell> the Microsoft DNS servers giving an IP address of one of your servers.  While 
    Russell> you're at it you make sure that the false packets you sent had long TTL 
    Russell> entries so that they stay in the cache for a while.  Then suddenly you have 
    Russell> all clients of that DNS server thinking that the MS servers are on your IP 
    Russell> addresses (with lots of potential for abuse).

 {Internal network}----[firewall/gateway router]-+----{Internet}
                                                 |
                                                 +---[Nameserver]

  The nameserver is configured to allow recursive queries only from
  hosts coming from inside, through the firewall/gateway router (Linux
  2.4 w/iptables).  What if someone on the internal network trys to
  poison the DNS like this?  They could be a student on a school
  network, a contract employee, a misbehaving full timer, or whatever.

  To prevent that, you should have some sort of egress filtering on
  the firewall router, to prevent DNS replies (spoofed) from being
  sent out through the gateway.

  That still does not prevent them from logging into an outside host
  they own -- their home computer, a co-located machine someplace out
  on the net -- and sending the spoofed responses from there.

  My question is; is this scenario possible, and is there any way to
  prevent it from occuring?

    Russell> Recursive requests go to port 53 (getting a DNS client to even talk to 
    Russell> another port is difficult or impossible depending on the client).

    Russell> iptables/ipchains blocks access to port 53 from untrusted IPs (IE everything 
    Russell> outside your LAN or dialup pool).

 But then how will anyone on the network access your domain's primary
 name server?

    Russell> Bind will not be expecting any data other than replies to it's requests on 
    Russell> port 54 (the port that is open to the outside world) so even if you screw up 
    Russell> in your configuration of bind to not allow recursion from the outside world 
    Russell> you're still protected.

 But it's an inside job.  By an expert.  How do I win the chess game
 then?

    Russell> Smart people NEVER rely on only one layer of protection if they can avoid it.

 And they never rely solely on their OWN knowledge and experience.

-- 
mailto: (Karl M. Hegbloom) karlheg@microsharp.com
Free the Software  http://www.debian.org/social_contract
http://www.microsharp.com
phone://USA/WA/360-260-2066

Reply to:

Follow-Ups:
- Re: Securing bind..
  - From: Russell Coker <russell@coker.com.au>

Prev by Date: [no subject]
Next by Date: Re: Securing bind..
Previous by thread: [no subject]
Next by thread: Re: Securing bind..
Index(es):
- Date
- Thread