STOCKMANN AUTOMATISERING

tel. +31 (0)76 7370198
fax. +31 (0)76 5714785
email. info@stockit.nl
web. http://www.stockit.nl/





Secure DNS

Since the beginning of Internet the DNS (Domain Name Service) on the Linux/UNIX platform is implented through the use of the open source software package called BIND. BIND was written by the Internet Systems Consortium . In 1998 for the first time a security bug was reported, in wich a remote intruder could gain root-level access to the server which ran BIND 4.8 or 8. This severe security vulnerability was solved, however over time new problems kept showing up, until John Lasser from security focus wrote a article stating that the complete BIND implemenation would be better of if it were rewritten again "from scratch" or even more drastic, should be abandoned for use as critical DNS nameserver software :

"Caught in a BIND"
http://theregister.co.uk/content/55/28235.html

His biggest objection against the use of BIND was that it was vulnerable by default for DNS Cache poisoning attacks. I didn't and still don't agree with that remark and wrote him a email:



From stock@stokkie.net Fri Nov 22 07:17:41 2002 +0100
Date: Fri, 22 Nov 2002 07:17:41 +0100 (CET)
From: "Robert M. Stockmann" 
To: jon@lasser.org
Subject: simple bind 9.2.1 example
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: RO
X-Status:
X-Keywords:

Hi,

I just read your article

"Caught in a BIND"
http://theregister.co.uk/content/55/28235.html

Where you state the following :

"
If you're saddled with an old version, take heart. With the latest security
holes, the programs are vulnerable only when acting as recursive name
servers. In brief, this means that the holes only affect servers that can
look up any address on the Internet. Your name servers should not respond to
such requests from external addresses anyway: to do so opens the door to DNS
cache poisoning attacks. Your name servers should respond only to
authoritative requests from outside your network, and allow recursion only
within the network.

Sadly, most BIND configurations will allow recursion from any address --
that's the default configuration of BIND, another situation that the Internet
Software Consortium should resolve.

When the Internet was designed, nobody imagined swarms of thousands of
six-foot-tall jet-black stealth woodpeckers. Today they're here, and it's
time our architects took the woodpeckers into account.
"

Well allthough i agree with you, here's a example where DNS admins with
basic skills could easily generate and figure out how to make their
setups secure :

http://crashrecovery.org/named/

Your conclusion which states transitioning to bind 9 is painfull is IMHO
not true, but merely a matter of having accessable documentation with
usefull examples.

cheers,

Robert
-- 
Robert M. Stockmann - RHCE
Network Engineer - UNIX Consultant
crashrecovery.org  stock@stokkie.net


From jon@leapfrog.baltimorons.org Fri Nov 22 15:40:19 2002
Return-Path: 
Delivered-To: stock@stokkie.net
Received: (qmail 4671 invoked from network); 22 Nov 2002 15:40:16 -0000
Received: from leapfrog.baltimorons.org 
 (?fc5qMAgN9hsoYb//m/bihz5waTgrnFjw?@216.181.177.189)
  by stock.xs4all.nl with SMTP; 22 Nov 2002 15:40:16 -0000
Received: (from jon@localhost)
	by leapfrog.baltimorons.org (8.11.6/8.11.6) id gAMFfnN24404
	for stock@stokkie.net; Fri, 22 Nov 2002 10:41:49 -0500
Date: Fri, 22 Nov 2002 10:41:49 -0500
From: "J. Lasser" 
To: "Robert M. Stockmann" 
Subject: Re: simple bind 9.2.1 example
Message-ID: <20021122154148.GA24401@leapfrog.baltimorons.org>
References: 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: 
User-Agent: Mutt/1.3.99i
X-AntiVirus: scanned for viruses by AMaViS 0.2.2 (http://amavis.org/)
Status: RO
X-Status:
X-Keywords:

In the wise words of Robert M. Stockmann:

> Your conclusion which states transitioning to bind 9 is painfull is IMHO
> not true, but merely a matter of having accessable documentation with
> usefull examples.

It's painful for ISPs, like the one I worked at with 10,000 zone
records. Each of which was broken.

It's also painful if you have only ten or twenty zone records with
various errors and not a lot of time.

Thanks for your note --- it's always good to hear from readers!
Jon
--
Jon Lasser
Home: jon@lasser.org		|    Work:jon@cluestickconsulting.com
http://www.tux.org/~lasser/     |    http://www.cluestickconsulting.com
   Buy my book, _Think_Unix_! http://www.tux.org/~lasser/think-unix/


The conclusion was that BIND 9.2.1 is a tiresome configurable software product. However BIND is open source, and the DNS Cache poisoning problem was rather simple solved by me, by using a DNS configuration example, in which recursion was switched off inside the public accessable part of the nameserver, and recursion was enabled on the private accessable LAN side of the DNS server. As one should know, recursion is mandatory needed to be able to browse the Internet.

In the mean time the hosting market has been opened up to a great extend. Even people at home today can purchase a ADSL connection which includes a static ip-number. By combining a couple of these ADSL connections, its pretty straight forward to setup things like : Distributed DNS, Web and Database network over the Internet, in own management where DNS and HTTP are the most important applications.




OS support: RedHat, SuSE, Debian, Mandrake, SCO, Solaris HW support: Intel, AMD, Sun, IBM Network: Cisco, 3COM, Nortel