Secure DNS
Since the beginning of Internet the DNS (Domain Name Service) on the Linux/UNIX
platform is implented through the use of the open source software package called
BIND. BIND was written by the
Internet Systems Consortium . In 1998 for the
first time a security bug was reported, in wich a remote intruder could
gain root-level access to the server which ran BIND 4.8 or 8.
This severe security vulnerability was solved, however over time new problems
kept showing up, until John Lasser from security focus wrote a article stating
that the complete BIND implemenation would be better of if it were rewritten
again "from scratch" or even more drastic, should be abandoned for use as
critical DNS nameserver software :
"Caught in a BIND"
http://theregister.co.uk/content/55/28235.html
His biggest objection against the use of BIND was that it was vulnerable by
default for DNS Cache poisoning attacks. I didn't and still don't agree with
that remark and wrote him a email:
From stock@stokkie.net Fri Nov 22 07:17:41 2002 +0100
Date: Fri, 22 Nov 2002 07:17:41 +0100 (CET)
From: "Robert M. Stockmann"
To: jon@lasser.org
Subject: simple bind 9.2.1 example
Message-ID:
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: RO
X-Status:
X-Keywords:
Hi,
I just read your article
"Caught in a BIND"
http://theregister.co.uk/content/55/28235.html
Where you state the following :
"
If you're saddled with an old version, take heart. With the latest security
holes, the programs are vulnerable only when acting as recursive name
servers. In brief, this means that the holes only affect servers that can
look up any address on the Internet. Your name servers should not respond to
such requests from external addresses anyway: to do so opens the door to DNS
cache poisoning attacks. Your name servers should respond only to
authoritative requests from outside your network, and allow recursion only
within the network.
Sadly, most BIND configurations will allow recursion from any address --
that's the default configuration of BIND, another situation that the Internet
Software Consortium should resolve.
When the Internet was designed, nobody imagined swarms of thousands of
six-foot-tall jet-black stealth woodpeckers. Today they're here, and it's
time our architects took the woodpeckers into account.
"
Well allthough i agree with you, here's a example where DNS admins with
basic skills could easily generate and figure out how to make their
setups secure :
http://crashrecovery.org/named/
Your conclusion which states transitioning to bind 9 is painfull is IMHO
not true, but merely a matter of having accessable documentation with
usefull examples.
cheers,
Robert
--
Robert M. Stockmann - RHCE
Network Engineer - UNIX Consultant
crashrecovery.org stock@stokkie.net
From jon@leapfrog.baltimorons.org Fri Nov 22 15:40:19 2002
Return-Path:
Delivered-To: stock@stokkie.net
Received: (qmail 4671 invoked from network); 22 Nov 2002 15:40:16 -0000
Received: from leapfrog.baltimorons.org
(?fc5qMAgN9hsoYb//m/bihz5waTgrnFjw?@216.181.177.189)
by stock.xs4all.nl with SMTP; 22 Nov 2002 15:40:16 -0000
Received: (from jon@localhost)
by leapfrog.baltimorons.org (8.11.6/8.11.6) id gAMFfnN24404
for stock@stokkie.net; Fri, 22 Nov 2002 10:41:49 -0500
Date: Fri, 22 Nov 2002 10:41:49 -0500
From: "J. Lasser"
To: "Robert M. Stockmann"
Subject: Re: simple bind 9.2.1 example
Message-ID: <20021122154148.GA24401@leapfrog.baltimorons.org>
References:
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To:
User-Agent: Mutt/1.3.99i
X-AntiVirus: scanned for viruses by AMaViS 0.2.2 (http://amavis.org/)
Status: RO
X-Status:
X-Keywords:
In the wise words of Robert M. Stockmann:
> Your conclusion which states transitioning to bind 9 is painfull is IMHO
> not true, but merely a matter of having accessable documentation with
> usefull examples.
It's painful for ISPs, like the one I worked at with 10,000 zone
records. Each of which was broken.
It's also painful if you have only ten or twenty zone records with
various errors and not a lot of time.
Thanks for your note --- it's always good to hear from readers!
Jon
--
Jon Lasser
Home: jon@lasser.org | Work:jon@cluestickconsulting.com
http://www.tux.org/~lasser/ | http://www.cluestickconsulting.com
Buy my book, _Think_Unix_! http://www.tux.org/~lasser/think-unix/
The conclusion was that BIND 9.2.1 is a tiresome configurable software
product. However BIND is open source, and the DNS Cache poisoning problem
was rather simple solved by me, by using a DNS configuration example,
in which recursion was switched off inside the public accessable part
of the nameserver, and recursion was enabled on the private
accessable LAN side of the DNS server. As one should know, recursion
is mandatory needed to be able to browse the Internet.
In the mean time the hosting market has been opened up to a great extend.
Even people at home today can purchase a ADSL connection which includes
a static ip-number. By combining a couple of these ADSL connections,
its pretty straight forward to setup things like : Distributed DNS, Web
and Database network over the Internet, in own management where DNS and HTTP
are the most important applications.
