Firewalling DNS
Jim Reid
jim at rfc1035.com
Tue Jul 11 17:27:49 UTC 2000
>>>>> "Jody" == Jody Lakin <jody at NOSPAM.finds.org> writes:
Jody> Hi, we control a primary DNS which hosts a number of domains
Jody> with our ISP as secondary, as DNS is so hackable we thought
Jody> we could just block DNS to our server apart from, from our
Jody> ISP. Is this generally acceptable, or do we need to allow
Jody> the whole world to our DNS? Any assistance greatly
Jody> appreciated...
First of all, please put real email addresses in your questions to
this list, not something that's unreplyable. Adding garbage like
NOSPAM to the email address achieves nothing except make it difficult
for people to reply to you. It doesn't stop spam or spammers. See
http://www.mail-abuse.org for advice on how to effectively combat
spam.
If you mean by "DNS is so hackable", you mean it has security
vulnerabilities, think again. There are no known weaknesses in the
current version of BIND, 8.2.2P5. For more details, take a look at the
ISC's web site: http://www.isc.org. Maybe there are security holes in
other DNS implementations, so ask their authors about that. This list
is BIND-users after all. Watch out for announcements on Bugtraq or
CERT advisories about security holes. You should be doing that for all
your software anyway. And even if new vulnerabilities emerge, you can
be sure a patch for BIND will be provided quickly. There are also some
hooks in BIND to minimise the impact of a security hole: running the
name server as an unprivileged user in a chroot()ed environment. Use
them if you're paranoid.
The next misunderstanding is contemplating blocking access to your
name server. Think about this for a moment. Why would anything want to
talk to your name server? Well, legitimate users will probably need to
lookup your domains on that name server. Blocking DNS traffic stops
them from looking up those names. If they can't look them up, the rest
of the world can't get to your web site or deliver mail to your mail
server, etc, etc. Is that what you *really* want? And yes, you do need
to let the whole world lookup names on your server unless you can be
certain what parts of the Internet will ever contact you. There are
ways of preventing other people from seeing a private, internal name
space (split DNS) or letting your server resolve other people's
queries, but I don't think they necessarily apply here.
More information about the bind-users
mailing list