[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Securing bind..

On Wed, 6 Mar 2002 19:04, Karl M. Hegbloom wrote:
>  [ The quoted email is dated last December... I hope nobody minds me ]
>  [ reviving the conversation.  I'm catching up on a few mail groups. ]

OK, but I've trimmed the CC list.

> >>>>> "Russell" == Russell Coker <russell@coker.com.au> writes:
>     Russell> On Sun, 30 Dec 2001 16:17, Jor-el wrote:
>     >> On Sun, 30 Dec 2001, Russell Coker wrote:
>     >> > Also don't allow recursion from outside machines.
>     >>
>     >> Why does this help?

[snip my description of the classic cache poisoning attack]

>  {Internal network}----[firewall/gateway router]-+----{Internet}
>                                                  +---[Nameserver]
>   The nameserver is configured to allow recursive queries only from
>   hosts coming from inside, through the firewall/gateway router (Linux
>   2.4 w/iptables).  What if someone on the internal network trys to
>   poison the DNS like this?  They could be a student on a school
>   network, a contract employee, a misbehaving full timer, or whatever.

That is a problem.  Also there's a problem if they send you email and doing a 
reverse lookup of the origin IP address, resolving the header address as part 
of spam filtering, or looking up the MX record for a bounce results in a DNS 
query to a poisoning server.

>   To prevent that, you should have some sort of egress filtering on
>   the firewall router, to prevent DNS replies (spoofed) from being
>   sent out through the gateway.
>   That still does not prevent them from logging into an outside host
>   they own -- their home computer, a co-located machine someplace out
>   on the net -- and sending the spoofed responses from there.

That's right.

>   My question is; is this scenario possible, and is there any way to
>   prevent it from occuring?

Get your name server to only accept replies to your exact queries and no 
extra data.

I'm not sure which DNS servers support this.

>     Russell> iptables/ipchains blocks access to port 53 from untrusted IPs
> (IE everything Russell> outside your LAN or dialup pool).
>  But then how will anyone on the network access your domain's primary
>  name server?

Have a different instance of your name server process for primary zones than 
the one used for caching.  That's standard policy on most large installations 
anyway, for performance if for nothing else.

>  But it's an inside job.  By an expert.  How do I win the chess game
>  then?

Get a better name server that doesn'thave this flaw.

If you send email to me or to a mailing list that I use which has >4 lines
of legalistic junk at the end then you are specifically authorizing me to do
whatever I wish with the message and all other messages from your domain, by
posting the message you agree that your long legalistic sig is void.

Reply to: