Vulnerable DNS servers, RFC

Brad Knowles brad at stop.mail-abuse.org
Tue Oct 25 09:08:20 UTC 2005 

At 10:47 AM +0200 2005-10-25, schnitzel meister wrote:

>  I don't understand how disabling recursion would help.
>  Is bind trusting something it shouldn't?

	No.  Let me explain.


	An authoritative-only server is only going to provide the 
information that you explicitly configure it to provide, through the 
/etc/named.conf file (or wherever yours is located) plus the 
associated zone files.  The only way you could hand out bogus data 
would be if the machine itself were compromised and someone logged in 
and changed the files, or if you're a secondary for some zone and the 
primary has been hacked.

	But when you enable recursion, you have to trust a certain amount 
of data from external sources, and you can never be 100% certain that 
the data you're trusting won't actually cause some sort of damage.

	With a recursive server, you just have to accept that 
possibility, but you can at least isolate the recursive server so 
that no one from the outside world can send unprompted packets to it, 
and you force attackers to work in a more indirect way.  Assuming 
you're running the most recent code, all known indirect 
vulnerabilities should be closed, and there should be relatively few 
unknown indirect vulnerabilities, and because the code has been 
thrashed about so much on so many different machines, what unknown 
indirect vulnerabilities that exist should be relatively rare 
occurrences.


	But when you combine recursive and authoritative services on the 
same machine, you can't protect the recursive server by hiding it 
behind a firewall and preventing unprompted packets from being sent 
to it, because you would interfere with the authoritative function.

	Now your combined recursive/authoritative server is much more 
vulnerable, and there is the possibility that they might find a 
weakness that allows them to send you bogus data that is trusted by 
the recursive function and put into the database, but now that 
database is shared with the authoritative function, and you might 
very well be tricked into handing out bogus data for any queries 
asked about your own domains.


	Think of it like the turnstiles at a subway station.  So long as 
they only have to go one direction, everything operates reasonably 
well, and the turnstiles can prevent many forms of abuse.

	But try to configure the turnstiles so that they have to support 
going both directions, and you've got a real problem.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.

More information about the bind-users mailing list