Recent ISS Security Announcement

Joseph S D Yao jsdy at center.osis.gov
Mon Nov 18 06:28:53 UTC 2002


On Sat, Nov 16, 2002 at 05:25:25PM -0500, Michael H. Warfield wrote:
...
> 	Here there be dragons...
> 
> 	What if someone sends you and E-Mail message that prompts a
> DNS lookup to the hostile nameserver.  How about a URL?  You have to
> trust ALL of your local clients to NEVER (not even in one of those
> transparent, under-the-hood type, checks that you don't even know about)
> be tricked into requesting a bad RR record.
> 
> 	This is not a road to be walked down.  It's quibiling on when
> and how you will get screwed when, in fact, you are going to get screwed.
> Fact is that, even if you control all the requesting clients, you don't
> control all the paths which may trigger a request from all the clients.
> There are just too many variables and paths.

You know, in my mind, all of this goes without saying; but, regrettably,
you are right in that it does NOT go without saying.  I should not have
just answered the question.

"Hard and crunchy on the outside, soft and chewy on the inside" just
changes where you can get bitten.  Better to not even let managers
suspect that there might be a difference, or they will insist on
trusting the inside and letting things slide.  Or, if you actually have
a manager that LISTENS, you can let them do proper risk management by
augmenting the technical points with the additional points about how
easy it would be to socially or technically engineer an attack from
within.

In any case, it's easy enough to install BIND 9 [I only had to
re-install three times due to vagaries in the compile process].  [Yes,
I should pass those back to improve the process for upcoming versions.]

-- 
Joe Yao				jsdy at center.osis.gov - Joseph S. D. Yao
OSIS Center Systems Support					EMT-B
-----------------------------------------------------------------------
   This message is not an official statement of OSIS Center policies.


More information about the bind-users mailing list