DNS Security

Jim Reid jim at rfc1035.com
Tue Dec 28 00:06:43 UTC 1999 

>>>>> "Bill" == wwebb  <wwebb at adni.net> writes:

    Bill> I'm interested in maximizing security against spoofing attacks.

Well ACLs are probably not a lot of help in achieving that goal.
Whenever your name server queries another name server, it will trust
whatever answers it gets back. They could include lies. In fact those
"answers" might not even come from a name server!

Suppose you install an ACL to stop resolvers from nastydomain asking
your name servers about nastydomain. [Let's assume nastydomain's name
servers tell lies and want to get those lies into the caches of your
name servers.] Your ACL stops one simple line of attack. However there
are lots of others. The attacker gets someone at your site to send
mail to nastydomain or click on some link that takes them to a
nastydomain web server. Or hosts in nastydomain connect to network
services on your systems that perform reverse lookups (www, smtp, ftp,
rlogin, etc). All of these will take your name servers to the
nastydomain name servers. So your supposedly secure name servers could
get spoofed and/or their caches poisoned anyway. The clever thing is
that the DNS lookups that send your name servers to nastydomain's get
performed from *inside* your network. Your ACL "security" has been
bypassed.

allow-query ACLs can be used to deny unwanted hosts from using your
name servers, but this does not protect those name servers from
spoofing or cache poisoning attacks. These can be prevented with
Secure DNS - ie digital signatures on DNS packets - but this is not
widely deployed yet.

What I'd recommend you do is disallow recursion and glue fetching on
the name servers listed in your zone's NS records. These should only
get queried by other name servers. They'll have no reason to query
another name server apart from the root servers at start-up. Since
they'll be authoritative for your zones, their caches can't be
compromised unless a new security hole is found and exploited. Use
other name servers for handling lookups from local clients. Make them
stealth servers for your zones: they slave your zones but aren't
listed in the NS records. These might pick up cruft from other name
servers - so what? - but their caches can't be spoofed about names in
your zones. If you'er paranoid, these servers could also be configured
as stealth servers for other zones you consider important - your ISP,
business partners, suppliers, etc.

More information about the bind-users mailing list