What is a Round Robin DNS? and other security issues..
Kevin Darcy
kcd at daimlerchrysler.com
Thu Jan 27 22:50:08 UTC 2000
Jari Ivanoff wrote:
[snip - question about round-robin DNS]
> And some other questions... is there some one that could tell me what
> security issues i should think about when i set up a DNS?
> I am running Bind 8.2.x on a RedHat 6.1 for our internal network at my job.
> and we are considering our own Internet connection, with a NT based Guardian
> Firewall to the outside. I have thought about a DNS server on the DMZ and
> one on the inside, with a secondary external DNS at one of the "sister"
> corporations sites, which i am helping to administer anyway ( both companies
> are have their external connections in our serverroom but with their own
> links and firewalls).
> What should i think about to get the most secure setup for us?
There are a number of different ways to integrate DNS servers with firewalls,
and you should probably find some suggestions in the archives of this
list/group and the "firewalls" section of the _DNS_and_BIND_ book, but since
you asked specifically about "the most secure setup", I'd recommend reading
http://www.cert.org/advisories/CA-99-14-bind.html and
ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos . Among other
things, they recommend upgrading BIND to 8.2.2-p5, and limiting recursion and
zone transfers. Be aware, however, that there is a bug (my opinion) in
BIND that causes spurious refusal of queries in your authoritative zones when
the default rule is to deny queries to untrusted hosts, and the class specified
by the query is ANY. This is not a huge problem, since class=ANY queries are
rather rare, but just something to be aware of.
In addition to the advisories, I'd generally recommend advertising as little of
your DNS data to the Internet as possible for namespaces which you also use
internally. This may mean that you'll have to maintain two copies of your
top-level domain(s) (the external version just being a "shadow") and perhaps
some subzones, which can be a pain in the butt, but anything less risks leaking
your internal DNS data to the outside world. Your firewalls probably need
access to both the internal and external DNS, but you can prevent them becoming
a source of leakage by pointing their resolvers only to"protected" nameservers,
i.e. either an internal box with external-resolution capability via the
forwarding mechanism, or a local nameserver instance which cannot be queried on
any external interface (implemented either through the "listen-on" BIND
directive or using your firewall's native capabilities to block query packets
to that port).
- Kevin
More information about the bind-users
mailing list