Vulnerable DNS servers, RFC

Brad Knowles brad at stop.mail-abuse.org
Tue Oct 25 09:12:30 UTC 2005


At 11:05 AM +0200 2005-10-25, Florian Weimer wrote:

>>  		1.  If you split the authoritative and recursive
>>  		functions onto separate machines, then you can make
>>  		the necessary network security settings so that
>>  		incoming packets that are not a reply to a recent
>>  		outgoing packet will be prevented from getting to the
>>  		recursive server.
>
>  This is also possible if recursive and authoritative service runs on
>  different IP addresses, but are served by the same named process.

	They can't be served by the same process.  Each named process is 
going to listen to one or more IP addresses (according to your 
configuration), and is going to either act as a recursive-only 
server, an authoritative-only server, or as a combined 
recursive/authoritative server, according to the configuration.

	If you want to run two copies of BIND listening to different 
addresses, then you could have different configurations on them.  But 
you can't have one copy of BIND listening to multiple IP addresses 
with different configurations for each IP address.

>>  		2.  If the recursive and authoritative functions are
>>  		split onto separate machines, then if one should get
>>  		compromised, then the other should still be reasonably
>>  		secure.  If you've done your network security
>>  		correctly, there should be no trust relationship
>>  		between these machines,
>
>  But there is, and you can't avoid it.  The recursive resolver fetches
>  data from the authoritative server.

	There's a certain amount of trust relationship, yes.  But it's 
minimal, and doesn't require that you have the same accounts, the 
same user authentication database, etc....  Just because you've 
managed to hack root password on one machine should not make the 
other machine any more vulnerable than it was before.

>>  	Right, but where would you get such unfiltered/untrusted content
>>  onto your authoritative-only server, unless you caused it to be
>>  loaded there?
>
>  Web-based DNS management with customer access, for example.  I believe
>  everyone filters out-of-zone records these days, but it's hard to be
>  sure.

	That's a data management issue, and one you're responsible for 
resolving.  There's nothing that BIND can do to help you with this 
problem.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.



More information about the bind-users mailing list