Vulnerable DNS servers, RFC

Thomas Schulz schulz at adi.com
Tue Oct 25 16:04:19 UTC 2005 

In article <djkuf5$bl$1 at sf1.isc.org>,
Brad Knowles  <brad at stop.mail-abuse.org> wrote:
>At 11:05 AM +0200 2005-10-25, Florian Weimer wrote:
>
>>>  		1.  If you split the authoritative and recursive
>>>  		functions onto separate machines, then you can make
>>>  		the necessary network security settings so that
>>>  		incoming packets that are not a reply to a recent
>>>  		outgoing packet will be prevented from getting to the
>>>  		recursive server.
>>
>>  This is also possible if recursive and authoritative service runs on
>>  different IP addresses, but are served by the same named process.
>
>	They can't be served by the same process.  Each named process is 
>going to listen to one or more IP addresses (according to your 
>configuration), and is going to either act as a recursive-only 
>server, an authoritative-only server, or as a combined 
>recursive/authoritative server, according to the configuration.

Can't you do this with views?  Could you make one view authoritative-only
and another view recursive?  I know that you can give out different
authoritative data from different views and I thought that I had read
somewhere that views could also differ in whether recursion was allowed
or not.

>	If you want to run two copies of BIND listening to different 
>addresses, then you could have different configurations on them.  But 
>you can't have one copy of BIND listening to multiple IP addresses 
>with different configurations for each IP address.
>
>>>  		2.  If the recursive and authoritative functions are
>>>  		split onto separate machines, then if one should get
>>>  		compromised, then the other should still be reasonably
>>>  		secure.  If you've done your network security
>>>  		correctly, there should be no trust relationship
>>>  		between these machines,
>>
>>  But there is, and you can't avoid it.  The recursive resolver fetches
>>  data from the authoritative server.
>
>	There's a certain amount of trust relationship, yes.  But it's 
>minimal, and doesn't require that you have the same accounts, the 
>same user authentication database, etc....  Just because you've 
>managed to hack root password on one machine should not make the 
>other machine any more vulnerable than it was before.
>
>>>  	Right, but where would you get such unfiltered/untrusted content
>>>  onto your authoritative-only server, unless you caused it to be
>>>  loaded there?
>>
>>  Web-based DNS management with customer access, for example.  I believe
>>  everyone filters out-of-zone records these days, but it's hard to be
>>  sure.
>
>	That's a data management issue, and one you're responsible for 
>resolving.  There's nothing that BIND can do to help you with this 
>problem.
>
>-- 
>Brad Knowles, <brad at stop.mail-abuse.org>
>
>"Those who would give up essential Liberty, to purchase a little
>temporary Safety, deserve neither Liberty nor Safety."
>
>     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
>     Assembly to the Governor, November 11, 1755
>
>   SAGE member since 1995.  See <http://www.sage.org/> for more info.
>
>


-- 
Tom Schulz
schulz at adi.com

More information about the bind-users mailing list