Re: Securing bind..
On Wed, 6 Mar 2002 19:04, Karl M. Hegbloom wrote:
> [ The quoted email is dated last December... I hope nobody minds me ]
> [ reviving the conversation. I'm catching up on a few mail groups. ]
OK, but I've trimmed the CC list.
> >>>>> "Russell" == Russell Coker <russell@coker.com.au> writes:
>
> Russell> On Sun, 30 Dec 2001 16:17, Jor-el wrote:
> >> On Sun, 30 Dec 2001, Russell Coker wrote:
> >> > Also don't allow recursion from outside machines.
> >>
> >> Why does this help?
[snip my description of the classic cache poisoning attack]
> {Internal network}----[firewall/gateway router]-+----{Internet}
>
> +---[Nameserver]
>
> The nameserver is configured to allow recursive queries only from
> hosts coming from inside, through the firewall/gateway router (Linux
> 2.4 w/iptables). What if someone on the internal network trys to
> poison the DNS like this? They could be a student on a school
> network, a contract employee, a misbehaving full timer, or whatever.
That is a problem. Also there's a problem if they send you email and doing a
reverse lookup of the origin IP address, resolving the header address as part
of spam filtering, or looking up the MX record for a bounce results in a DNS
query to a poisoning server.
> To prevent that, you should have some sort of egress filtering on
> the firewall router, to prevent DNS replies (spoofed) from being
> sent out through the gateway.
>
> That still does not prevent them from logging into an outside host
> they own -- their home computer, a co-located machine someplace out
> on the net -- and sending the spoofed responses from there.
That's right.
> My question is; is this scenario possible, and is there any way to
> prevent it from occuring?
Get your name server to only accept replies to your exact queries and no
extra data.
I'm not sure which DNS servers support this.
> Russell> iptables/ipchains blocks access to port 53 from untrusted IPs
> (IE everything Russell> outside your LAN or dialup pool).
>
> But then how will anyone on the network access your domain's primary
> name server?
Have a different instance of your name server process for primary zones than
the one used for caching. That's standard policy on most large installations
anyway, for performance if for nothing else.
> But it's an inside job. By an expert. How do I win the chess game
> then?
Get a better name server that doesn'thave this flaw.
--
If you send email to me or to a mailing list that I use which has >4 lines
of legalistic junk at the end then you are specifically authorizing me to do
whatever I wish with the message and all other messages from your domain, by
posting the message you agree that your long legalistic sig is void.
Reply to: