Separation of authoritative and recursive functions
Kevin Darcy
kcd at daimlerchrysler.com
Thu Jul 7 21:28:15 UTC 2005
Brad Knowles wrote:
>At 9:08 PM -0400 2005-07-05, Kevin Darcy wrote:
>
>
>
>> As for the relative merits of separating the functions by view,
>> listen-address or physical server(s) (irrespective of the
>> one-program-or-two issue), opinions differ widely on that, and each
>> admin/architect needs to decide for himself/herself, based on their
>> specific security/availability/performance requirements,
>> fiscal/facility/address-space constraints, support infrastructure, etc.
>>
>>
>
> One advantage to using separate machines, or at least separate
>instances of BIND, is that if there is a leak inside the code, you
>could potentially wind up with a situation where one view is somehow
>poisoned by data from another view. Separate instances of BIND or
>separate machines will guarantee that doesn't happen.
>
With all due respect, that's kind of a FUD argument, isn't it? I mean,
has there ever been a serious "view leakage" problem with BIND 9? If
there was, I certainly don't remember it. Sounds like you're describing
a purely theoretical possibility.
In any case, if "view leakage" is the specific vulnerability to be
protected against, one can always go the "middle road" and run separate
nameserver instances on separate interfaces of the same box(es). That's
still less drastic than devoting different boxes or sets of boxes to the
different functions.
Let's not forget that installing, configuring and maintaining separate
boxes brings with it its own set of security challenges: that's more
boxes to keep patched up to date, more boxes to write firewall rules
for, more complexity on one's network, etc. Simply put: more chances to
screw something up and create a vulnerability. Aren't most
vulnerabilities caused by misconfigurations as opposed to bad code?
I still say there is no one simple answer that works for all
organizations. There are a number of factors that need to be considered
and traded off from one another. In our case, for instance, we have
multiple levels of security, so even in the worst case if someone were
to break into one or our Internet-facing nameservers, they still
wouldn't be able to access any of our internal DNS information. Sure,
they'd be able to DoS us, vandalize/corrupt our zone data, give false
answers to our lookups, etc., which is certainly bad, but at least our
internal data is hidden from their sight, so that's one less thing we
need to protect against, except in the general ways that we protect
against *all* forms of unauthorized access to our resources. Given this,
I have no problem running authoritative-nameserver and
iterative-resolver functions as separate views within the same
nameserver instances on those boxes.
- Kevin
More information about the bind-users
mailing list