Vulnerable DNS servers, RFC

Kevin Darcy kcd at daimlerchrysler.com
Mon Oct 24 20:56:14 UTC 2005 

Andy Pieters wrote:

>Hi List
>I got a newsflash from The Register regarding 
>http://www.theregister.co.uk/2005/10/24/dns_security_survey/
>
>Having a little nameserver myself, would it be possible for someone to "pharm" 
>it?
>
>ip->dns is only allowed on LAN, whereas the same bind also serves a small zone 
>on the WAN (to allow lookups for the vlaamse-kern.com domain)
>
>Is there a possibility of bind, which runs in its chroot jail, of being 
>poisoned and returning different ips for the vlaamse-kern.com instead of the 
>ones from the zone file?
>
This kind of cache-poisoning attack has nothing to do with chroot'ing 
(because it's not an attempt to break into the nameserver at an 
Operating System level), nor will it affect any zone that you serve 
authoritatively, i.e. for which your server is master or slave (because 
authoritative data is distinct from cached data and can only be changed 
by zone transfer, Dynamic Update (where authorized) or by restarting the 
nameserver with a changed zone file).

As the article says, make sure you only allow recursion for your own 
and/or trusted clients.

As for the recommendations about limiting zone transfers, I respectfully 
disagree. A lot of "security experts" dribble out this advice to limit 
zone transfers, but I think most of them are non-DNS people who don't 
understand that zone transfers don't include any information that isn't 
available via ordinary queries anyway. Limiting zone transfers is just 
one more thing that needs configuration and ongoing maintenance, gets in 
the way of troubleshooting and complicates any migrations of a zone from 
one DNS hosting provider to another. As for the (weak) DoS argument, my 
own anecdotal evidence is that hackers don't seem interested in bringing 
down DNS services with zone transfer requests these days. Most of our 
zones -- and I think we're fairly typical -- only have data at the apex 
and "www" names, so zone transfers don't really cause much more traffic 
than individual queries anyway, not to mention that BIND 9 offers some 
reasonable controls over zone transfer usage that don't interfere with 
ordinary queries. My intention is to leave zone transfers open for the 
foreseeable future. One less thing to futz around with.

                                                                         
                                                                     - Kevin

More information about the bind-users mailing list