bind configuration help

Kevin Darcy kcd at chrysler.com
Wed Nov 11 22:58:10 UTC 2009 

Jeff Lightner wrote:
> I can't quite agree with that.
>
> While public information is indeed public it is intended to be so for specific lookups not for zone transfers.  
Circular argument: allowing zone transfers is bad if one didn't intend 
to allow zone transfers.
> Someone external to you asking get a zone transfer may be looking for what he can exploit.   

Speculative argument: someone may do something bad with information that 
was intentionally made public.
> Maybe he can find that information anyway with enough digging but why make it easy for him? 
>   
On the other hand, why make it harder for good and bad folks alike? 
Superfluous concealment often raises curiosity and attracts probing. 
(Don't even get me started on whether BIND version numbers should be 
suppressed/spoofed; I think you might be able to guess where I stand on 
that too).

Why not allow knowledgeable experts to diagnose problems with your 
external-facing zones, or business partners to set up "stealth slaves", 
if they wish, for architectural, performance and/or availability 
reasons, without having to reconfigure one's nameserver, and/or 
generate/distribute a TSIG key, every time they want to?

Consider long and deep how much configuration complexity and "churn" 
raises opportunities for infrastructure breakins and/or denials of 
service, perhaps far more than simple information disclosures ever could...

                                                                         
                                                         - Kevin

P.S. I've already lost this argument in our own organization, so don't 
even bother with the "practice what you preach" observation. I can but 
offer advice to others to avoid such a ridiculous state of affairs.
> -----Original Message-----
> From: bind-users-bounces at lists.isc.org [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Kevin Darcy
> Sent: Wednesday, November 11, 2009 12:53 PM
> To: bind-users at lists.isc.org
> Subject: Re: bind configuration help
>
> Holger Honert wrote:
>   
>> Security issues!
>>
>> Usually you only want *trusted* clients to use your server recursively.
>>
>> And you don't really want to allow *any* fetching your hosted zones 
>> for doing something bad, i.e. getting (unwanted!) infos
>> over your network and infrastructure.
>>     
> If the infos are public, they're public, the only difference is that 
> zone transfers are a more efficient way of fetching more than about 2 or 
> 3 records in a single transaction, compared to querying each one 
> individually.
>
> If you want your network and infrastructure infos to be private, then 
> put them in a private zone that can't be queried from the Internet at all.
>
>                                                                          
>                                                    - Kevin
>
>   
>> Regards
>>
>> Holger
>>
>>
>> Jukka Pakkanen schrieb:
>>     
>>> Sorry, but could You specify more accurately what is "bad" ? This is
>>> my first bind configuration, so probably I've made some mistakes, but
>>> I'd like to do it the right way in the end.:)
>>>
>>> On Tue, Nov 10, 2009 at 11:19 PM, Laurent CARON <lcaron at lncsa.com> wrote:
>>>   
>>>       
>>>>>     allow-recursion { any; };
>>>>>       
>>>>>           
>>>> bad
>>>>
>>>>     
>>>>         
>>>>>     allow-transfer { any; };
>>>>>       
>>>>>           
>>>> bad
>>>>
>>>>     
>>>>         
>>> It's usually a bad idea to allow "any" to use your server recursively, or allow "any" transfer zone data. Like an "open dns-server".
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>>>
>>>   
>>>       
>> ------------------------------------------------------------------------
>> SIGNAL Krankenversicherung a. G., Sitz: Dortmund, HR B 2405, AG Dortmund
>> IDUNA Vereinigte Lebensversicherung aG für Handwerk, Handel und Gewerbe,
>> Sitz: Hamburg, HR B 2740, AG Hamburg
>> Deutscher Ring Krankenversicherungsverein a.G., Sitz: Hamburg,
>> HR B 4673, AG Hamburg,
>> SIGNAL IDUNA Allgemeine Versicherung AG, Sitz: Dortmund, HR B 19108,
>> AG Dortmund
>> Vorstände: Reinhold Schulte (Vorsitzender),
>> Wolfgang Fauter (stellv. Vorsitzender), Dr. Karl-Josef Bierth,
>> Jens O. Geldmacher, Marlies Hirschberg-Tafel,
>> Michael Johnigk, Ulrich Leitermann, Michael Petmecky,
>> Dr. Klaus Sticker, Prof. Dr. Markus Warg
>> Vorsitzender der Aufsichtsräte: Günter Kutz
>> SIGNAL IDUNA Gruppe Hauptverwaltungen, Internet: www.signal-iduna.de
>> 44121 Dortmund, Hausanschrift: Joseph-Scherer-Str. 3, 44139 Dortmund
>> 20351 Hamburg, Hausanschrift: Neue Rabenstraße 15-19, 20354 Hamburg
>> _______________________________________________
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>     
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>  
> Proud partner. Susan G. Komen for the Cure.
>  
> Please consider our environment before printing this e-mail or attachments.
> ----------------------------------
> CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
> ----------------------------------
>
>
>
>

More information about the bind-users mailing list