Vulnerable DNS servers, RFC

Brad Knowles brad at stop.mail-abuse.org
Tue Oct 25 08:41:29 UTC 2005 

At 8:46 AM +0200 2005-10-25, Florian Weimer wrote:

>  I don't understand why the authoritative/resolver split is
>  recommended.  Sure, it is a good idea in many cases, but in this
>  context, it only increases risk because you depend on the correctness
>  of the delegation from the root to your zones.

	I'm sure there are several reasons why this is a good idea.  I 
can think of two off the top of my head:

		1.  If you split the authoritative and recursive functions onto
			separate machines, then you can make the necessary network
			security settings so that incoming packets that are not a
			reply to a recent outgoing packet will be prevented from
			getting to the recursive server.  If you're running a more
			recent version of BIND that ignores out-of-zone glue, then
			the recursive server should be largely protected against
			cache pollution/poisoning.

			Meanwhile, the authoritative server is allowed to receive
			non-reply traffic, which is necessary in the performance of
			it's duty.

		2.  If the recursive and authoritative functions are split onto
			separate machines, then if one should get compromised, then
			the other should still be reasonably secure.  If you've done
			your network security correctly, there should be no trust
			relationship between these machines, or between these machines
			and any others on your DMZ, and therefore the hackers should
			find themselves in an isolated pocket within your network
			and not really in any better situation to attack other systems
			on your network than they were before.

>  Few people seem to keep in mind that if you load unfiltered untrusted
>  zones into your name server, you lose, even if it's an
>  authoritative-only server.  (It's kind of obvious in the resolver
>  case.)

	Right, but where would you get such unfiltered/untrusted content 
onto your authoritative-only server, unless you caused it to be 
loaded there?

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.

More information about the bind-users mailing list