Security issue in BIND servers

[Simon Waters]

Bind Users wrote:
> 
> Currently, I run BIND ver 9.1.3 for my both dns servers.
> Sometimes we need to do a zone transfer for remote site, either
> as a Master or Slave server. Therefore, TCP Port 53 was opened up.
> I'm concerned about the security although it was behind firewall as
> TCP port was quite fragile for attacking & hacking activities.

DNS has always used both UDP and TCP to port 53, if you had UDP
open and TCP closed before you were committing a classic
mistake.

> 1) May be I could do some harderning. Any recommendation? How?

Look at OS hardening - many problems come from buffer overflows. 

Solaris has a kernel parameter to stop execution of code on the
stack - see any recent SUN response to BUGTRAQ buffer overflows
or the JASS blueprint docs.

Other OSes are beginning to offer similar features. This kills a
whole host of problems not just BIND.

The firewall should offer some protection against SYN flooding
and other common TCP attacks.

> 2) Is there any facility that BIND 9.1.3 could offered?

You've got most of the, Cricket has a paper on securing DNS.
http://www.acmebw.com/resources/

I think the main change for BIND 9 is the "-t" chroot option (or
did I miss that - there has to be some reason to buy his
excellent book - edition 4). The chroot option has been
discussed exhaustively in the last couple of weeks - so see the
list archive.

TCP offers some advantages over UDP in this context, as UDP
packets are easier to fake. TCP may open a wider variety of DoS
attack, but then anyone intent on a quick DoS knowing the
innards of TCP will probably be able to DoS your server some
other way anyhow.

-- 
Are you using the Internet to best effect ? www.eighth-layer.com
Tel: +44(0)1395 232769      ICQ: 116952768
Moderated discussion of teleworking at news:uk.business.telework