Re: Securing bind..

To: karlheg@microsharp.com (Karl M. Hegbloom)
Cc: debian-user@lists.debian.org, debian-isp@lists.debian.org
Subject: Re: Securing bind..
From: Russell Coker <russell@coker.com.au>
Date: Wed, 6 Mar 2002 20:21:37 +0100
Message-id: <[🔎] 20020306192138.33A2B1EEA2@lyta.coker.com.au>
Reply-to: Russell Coker <russell@coker.com.au>
In-reply-to: <[🔎] 87y9h5h8s6.fsf@juniper.intra.microsharp.com>
References: <Pine.LNX.3.96.1011230091206.4175A-100000@trillian> <20011230213950.7484D3762A6@lyta.coker.com.au> <[🔎] 87y9h5h8s6.fsf@juniper.intra.microsharp.com>

On Wed, 6 Mar 2002 19:04, Karl M. Hegbloom wrote:
>  [ The quoted email is dated last December... I hope nobody minds me ]
>  [ reviving the conversation.  I'm catching up on a few mail groups. ]

OK, but I've trimmed the CC list.

> >>>>> "Russell" == Russell Coker <russell@coker.com.au> writes:
>
>     Russell> On Sun, 30 Dec 2001 16:17, Jor-el wrote:
>     >> On Sun, 30 Dec 2001, Russell Coker wrote:
>     >> > Also don't allow recursion from outside machines.
>     >>
>     >> Why does this help?

[snip my description of the classic cache poisoning attack]

>  {Internal network}----[firewall/gateway router]-+----{Internet}
>
>                                                  +---[Nameserver]
>
>   The nameserver is configured to allow recursive queries only from
>   hosts coming from inside, through the firewall/gateway router (Linux
>   2.4 w/iptables).  What if someone on the internal network trys to
>   poison the DNS like this?  They could be a student on a school
>   network, a contract employee, a misbehaving full timer, or whatever.

That is a problem.  Also there's a problem if they send you email and doing a 
reverse lookup of the origin IP address, resolving the header address as part 
of spam filtering, or looking up the MX record for a bounce results in a DNS 
query to a poisoning server.

>   To prevent that, you should have some sort of egress filtering on
>   the firewall router, to prevent DNS replies (spoofed) from being
>   sent out through the gateway.
>
>   That still does not prevent them from logging into an outside host
>   they own -- their home computer, a co-located machine someplace out
>   on the net -- and sending the spoofed responses from there.

That's right.

>   My question is; is this scenario possible, and is there any way to
>   prevent it from occuring?

Get your name server to only accept replies to your exact queries and no 
extra data.

I'm not sure which DNS servers support this.

>     Russell> iptables/ipchains blocks access to port 53 from untrusted IPs
> (IE everything Russell> outside your LAN or dialup pool).
>
>  But then how will anyone on the network access your domain's primary
>  name server?

Have a different instance of your name server process for primary zones than 
the one used for caching.  That's standard policy on most large installations 
anyway, for performance if for nothing else.

>  But it's an inside job.  By an expert.  How do I win the chess game
>  then?

Get a better name server that doesn'thave this flaw.

-- 
If you send email to me or to a mailing list that I use which has >4 lines
of legalistic junk at the end then you are specifically authorizing me to do
whatever I wish with the message and all other messages from your domain, by
posting the message you agree that your long legalistic sig is void.

Reply to:

References:
- Re: Securing bind..
  - From: karlheg@microsharp.com (Karl M. Hegbloom)

Prev by Date: Re: qmail postmanster passwd
Next by Date: I fucked up apt-get
Previous by thread: Re: Securing bind..
Next by thread: Re: Securing bind..
Index(es):
- Date
- Thread