Vulnerable DNS servers, RFC
Brad Knowles
brad at stop.mail-abuse.org
Tue Oct 25 09:08:20 UTC 2005
At 10:47 AM +0200 2005-10-25, schnitzel meister wrote:
> I don't understand how disabling recursion would help.
> Is bind trusting something it shouldn't?
No. Let me explain.
An authoritative-only server is only going to provide the
information that you explicitly configure it to provide, through the
/etc/named.conf file (or wherever yours is located) plus the
associated zone files. The only way you could hand out bogus data
would be if the machine itself were compromised and someone logged in
and changed the files, or if you're a secondary for some zone and the
primary has been hacked.
But when you enable recursion, you have to trust a certain amount
of data from external sources, and you can never be 100% certain that
the data you're trusting won't actually cause some sort of damage.
With a recursive server, you just have to accept that
possibility, but you can at least isolate the recursive server so
that no one from the outside world can send unprompted packets to it,
and you force attackers to work in a more indirect way. Assuming
you're running the most recent code, all known indirect
vulnerabilities should be closed, and there should be relatively few
unknown indirect vulnerabilities, and because the code has been
thrashed about so much on so many different machines, what unknown
indirect vulnerabilities that exist should be relatively rare
occurrences.
But when you combine recursive and authoritative services on the
same machine, you can't protect the recursive server by hiding it
behind a firewall and preventing unprompted packets from being sent
to it, because you would interfere with the authoritative function.
Now your combined recursive/authoritative server is much more
vulnerable, and there is the possibility that they might find a
weakness that allows them to send you bogus data that is trusted by
the recursive function and put into the database, but now that
database is shared with the authoritative function, and you might
very well be tricked into handing out bogus data for any queries
asked about your own domains.
Think of it like the turnstiles at a subway station. So long as
they only have to go one direction, everything operates reasonably
well, and the turnstiles can prevent many forms of abuse.
But try to configure the turnstiles so that they have to support
going both directions, and you've got a real problem.
--
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
More information about the bind-users
mailing list