Vulnerable DNS servers, RFC
Brad Knowles
brad at stop.mail-abuse.org
Tue Oct 25 08:41:29 UTC 2005
At 8:46 AM +0200 2005-10-25, Florian Weimer wrote:
> I don't understand why the authoritative/resolver split is
> recommended. Sure, it is a good idea in many cases, but in this
> context, it only increases risk because you depend on the correctness
> of the delegation from the root to your zones.
I'm sure there are several reasons why this is a good idea. I
can think of two off the top of my head:
1. If you split the authoritative and recursive functions onto
separate machines, then you can make the necessary network
security settings so that incoming packets that are not a
reply to a recent outgoing packet will be prevented from
getting to the recursive server. If you're running a more
recent version of BIND that ignores out-of-zone glue, then
the recursive server should be largely protected against
cache pollution/poisoning.
Meanwhile, the authoritative server is allowed to receive
non-reply traffic, which is necessary in the performance of
it's duty.
2. If the recursive and authoritative functions are split onto
separate machines, then if one should get compromised, then
the other should still be reasonably secure. If you've done
your network security correctly, there should be no trust
relationship between these machines, or between these machines
and any others on your DMZ, and therefore the hackers should
find themselves in an isolated pocket within your network
and not really in any better situation to attack other systems
on your network than they were before.
> Few people seem to keep in mind that if you load unfiltered untrusted
> zones into your name server, you lose, even if it's an
> authoritative-only server. (It's kind of obvious in the resolver
> case.)
Right, but where would you get such unfiltered/untrusted content
onto your authoritative-only server, unless you caused it to be
loaded there?
--
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
More information about the bind-users
mailing list