[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030910144350.S48700@fubar.adept.org>
Date: Wed, 10 Sep 2003 15:00:31 -0700 (PDT)
From: Mike Hoskins <mike@...pt.org>
To: bugtraq@...urityfocus.com
Subject: Re: Permitting recursion can allow spammers to steal name server
resources
On Wed, 10 Sep 2003, Dan Harkless wrote:
> On September 9, 2003, Chris Brenton <cbrenton@...isbrenton.org> wrote:
> [...]
> > "DNS Cache Poisoning - The Next Generation" by by Joe Stewart, GCIH
> > http://www.securityfocus.com/guest/17905
> [...]
> > _Fixing the problem with Bind_
<snip>
> > allow-recursion {172.16.1.1, 10.0.0.0/8, 192.168.1.0/24;};
> As has been pointed out before, this still leaves you potentially open to
> cache poisoning if the attacker can spoof those addresses (and again, the
> attacker will need to be spoofing anyway, if attacking BIND 9).
luckily more providers have began properly filtering at ingress. granted,
spoofing is still quite possible from a large percentage of IPv4 space.
> The safest setup is to run authoritative nameservers on separate machines
> (or at least IPs) from caching recursive servers, as discussed, e.g. here:
FWIW, i think this can be derived from Joe's article as well. also,
anyone configuring BIND should see Rob Thomas' _Secure BIND Template_,
http://www.cymru.com/Documents/secure-bind-template.html
everything discussed here relating to BIND configuration (and more) is
covered there.
i'd also like to point out that the title of this thread is a bit
misleading, or at least not 100% accurate wrt the suggestions being given.
yes, we can arrive at a relatively secure DNS implementation using BIND or
other alternatives... however, even with a secure implementation, h4x0rz
can 'steal name server resources'; if you have a resolver (recursive or
not) attached to the public Internet, it can be bombarded with queries.
that, like many forms of 'legitimate use', is 'steal[ing] ... resources'
and can't be easily avoided (only mitigated). ;) it's also one of the
more frequent things i see reported on mailing lists these days...
particularly thanks to M$.
-mrh
--
From: "Spam Catcher" <spam-catcher@...pt.org>
To: spam-catcher@...pt.org
Do NOT send email to the address listed above or
you will be added to a blacklist!
Powered by blists - more mailing lists