Same source port queries dropped by ServerIron load balancer
Barry Margolin
barmar at alum.mit.edu
Sun Apr 4 19:33:02 UTC 2010
In article <mailman.1058.1270395730.21153.bind-users at lists.isc.org>,
Kevin Darcy <kcd at chrysler.com> wrote:
> On 4/1/2010 9:19 PM, Barry Margolin wrote:
> > In article<mailman.1048.1270148466.21153.bind-users at lists.isc.org>,
> > Kevin Darcy<kcd at chrysler.com> wrote:
> >
> >
> >> Re-use of source ports for DNS queries is a bad security practice. I
> >> cast my vote in favor of penalizing it, in the default configuration of
> >> any device that responds to DNS requests.
> >>
> > It's really not the job of a load balancer or server to force clients to
> > use good security practices.
> >
> Trouble is, when everyone carves out their little area of responsibility
> such that enforcing good security practices is "not my job, man", then
> very few things enforce security practices, and ultimately they don't
> get enforced at all.
There's a well-defined place where security is supposed to be enforced:
the firewall. I suppose the device in question may be a combination
firewall and load balancer.
But a firewall in front of a server should be protecting the server, not
protecting the clients from themselves.
> Certainly a load-balancer can legitimately refuse to serve queries that
> are suspect, can it not? E.g. that are malformed in particular ways that
> indicate hostile intent. So, where in the spectrum of "suspectness" can
> we draw the line and say, everything on that side, I trust to answer,
> and everything on the other side of the line, I don't? I think a client
> that re-uses source ports is untrustworthy. Therefore I think it's a
> reasonable default to decline to service queries from such clients.
Since when does a DNS server need to "trust" the client? The server
just answers questions, it doesn't incorporate any information from the
client (except for dynamic DNS updates, but these are almost always
clients inside the security perimiter).
--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
More information about the bind-users
mailing list