Security issue in BIND servers
Simon Waters
Simon at wretched.demon.co.uk
Wed Aug 22 22:21:20 UTC 2001
Bind Users wrote:
>
> Currently, I run BIND ver 9.1.3 for my both dns servers.
> Sometimes we need to do a zone transfer for remote site, either
> as a Master or Slave server. Therefore, TCP Port 53 was opened up.
> I'm concerned about the security although it was behind firewall as
> TCP port was quite fragile for attacking & hacking activities.
DNS has always used both UDP and TCP to port 53, if you had UDP
open and TCP closed before you were committing a classic
mistake.
> 1) May be I could do some harderning. Any recommendation? How?
Look at OS hardening - many problems come from buffer overflows.
Solaris has a kernel parameter to stop execution of code on the
stack - see any recent SUN response to BUGTRAQ buffer overflows
or the JASS blueprint docs.
Other OSes are beginning to offer similar features. This kills a
whole host of problems not just BIND.
The firewall should offer some protection against SYN flooding
and other common TCP attacks.
> 2) Is there any facility that BIND 9.1.3 could offered?
You've got most of the, Cricket has a paper on securing DNS.
http://www.acmebw.com/resources/
I think the main change for BIND 9 is the "-t" chroot option (or
did I miss that - there has to be some reason to buy his
excellent book - edition 4). The chroot option has been
discussed exhaustively in the last couple of weeks - so see the
list archive.
TCP offers some advantages over UDP in this context, as UDP
packets are easier to fake. TCP may open a wider variety of DoS
attack, but then anyone intent on a quick DoS knowing the
innards of TCP will probably be able to DoS your server some
other way anyhow.
--
Are you using the Internet to best effect ? www.eighth-layer.com
Tel: +44(0)1395 232769 ICQ: 116952768
Moderated discussion of teleworking at news:uk.business.telework
More information about the bind-users
mailing list