Vulnerable DNS servers, RFC

Florian Weimer fw at deneb.enyo.de
Tue Oct 25 09:05:16 UTC 2005 

* Brad Knowles:

> At 8:46 AM +0200 2005-10-25, Florian Weimer wrote:
>
>>  I don't understand why the authoritative/resolver split is
>>  recommended.  Sure, it is a good idea in many cases, but in this
>>  context, it only increases risk because you depend on the correctness
>>  of the delegation from the root to your zones.
>
> 	I'm sure there are several reasons why this is a good idea.  I 
> can think of two off the top of my head:
>
> 		1.  If you split the authoritative and recursive
> 		functions onto separate machines, then you can make
> 		the necessary network security settings so that
> 		incoming packets that are not a reply to a recent
> 		outgoing packet will be prevented from getting to the
> 		recursive server.

This is also possible if recursive and authoritative service runs on
different IP addresses, but are served by the same named process.

> 		2.  If the recursive and authoritative functions are
> 		split onto separate machines, then if one should get
> 		compromised, then the other should still be reasonably
> 		secure.  If you've done your network security
> 		correctly, there should be no trust relationship
> 		between these machines,

But there is, and you can't avoid it.  The recursive resolver fetches
data from the authoritative server.

The reason I know is the following one: If you make the split, you do
not have a special view on your own zones.  This means that you can
easily spot problems with delegations.  Otherwise, it can happen that
you never noticed that some delegation went astray because your
resolver happily continues to send based on the authoritative data in
its zone files.  This is particularly relevant if you are a service
provider and a customer moves away a domain from your name servers and
you fail to notice this.

>>  Few people seem to keep in mind that if you load unfiltered untrusted
>>  zones into your name server, you lose, even if it's an
>>  authoritative-only server.  (It's kind of obvious in the resolver
>>  case.)
>
> 	Right, but where would you get such unfiltered/untrusted content 
> onto your authoritative-only server, unless you caused it to be 
> loaded there?

Web-based DNS management with customer access, for example.  I believe
everyone filters out-of-zone records these days, but it's hard to be
sure.

More information about the bind-users mailing list