Vulnerable DNS servers, RFC
Kevin Darcy
kcd at daimlerchrysler.com
Mon Oct 24 20:56:14 UTC 2005
Andy Pieters wrote:
>Hi List
>I got a newsflash from The Register regarding
>http://www.theregister.co.uk/2005/10/24/dns_security_survey/
>
>Having a little nameserver myself, would it be possible for someone to "pharm"
>it?
>
>ip->dns is only allowed on LAN, whereas the same bind also serves a small zone
>on the WAN (to allow lookups for the vlaamse-kern.com domain)
>
>Is there a possibility of bind, which runs in its chroot jail, of being
>poisoned and returning different ips for the vlaamse-kern.com instead of the
>ones from the zone file?
>
This kind of cache-poisoning attack has nothing to do with chroot'ing
(because it's not an attempt to break into the nameserver at an
Operating System level), nor will it affect any zone that you serve
authoritatively, i.e. for which your server is master or slave (because
authoritative data is distinct from cached data and can only be changed
by zone transfer, Dynamic Update (where authorized) or by restarting the
nameserver with a changed zone file).
As the article says, make sure you only allow recursion for your own
and/or trusted clients.
As for the recommendations about limiting zone transfers, I respectfully
disagree. A lot of "security experts" dribble out this advice to limit
zone transfers, but I think most of them are non-DNS people who don't
understand that zone transfers don't include any information that isn't
available via ordinary queries anyway. Limiting zone transfers is just
one more thing that needs configuration and ongoing maintenance, gets in
the way of troubleshooting and complicates any migrations of a zone from
one DNS hosting provider to another. As for the (weak) DoS argument, my
own anecdotal evidence is that hackers don't seem interested in bringing
down DNS services with zone transfer requests these days. Most of our
zones -- and I think we're fairly typical -- only have data at the apex
and "www" names, so zone transfers don't really cause much more traffic
than individual queries anyway, not to mention that BIND 9 offers some
reasonable controls over zone transfer usage that don't interfere with
ordinary queries. My intention is to leave zone transfers open for the
foreseeable future. One less thing to futz around with.
- Kevin
More information about the bind-users
mailing list