lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 10 Sep 2003 15:00:31 -0700 (PDT)
From: Mike Hoskins <mike@...pt.org>
To: bugtraq@...urityfocus.com
Subject: Re: Permitting recursion can allow spammers to steal name server
 resources


On Wed, 10 Sep 2003, Dan Harkless wrote:
> On September 9, 2003, Chris Brenton <cbrenton@...isbrenton.org> wrote:
> [...]
> > "DNS Cache Poisoning - The Next Generation" by by Joe Stewart, GCIH
> > http://www.securityfocus.com/guest/17905
> [...]
> > _Fixing the problem with Bind_
<snip>
> > allow-recursion {172.16.1.1, 10.0.0.0/8, 192.168.1.0/24;};
> As has been pointed out before, this still leaves you potentially open to
> cache poisoning if the attacker can spoof those addresses (and again, the
> attacker will need to be spoofing anyway, if attacking BIND 9).

luckily more providers have began properly filtering at ingress.  granted,
spoofing is still quite possible from a large percentage of IPv4 space.

> The safest setup is to run authoritative nameservers on separate machines
> (or at least IPs) from caching recursive servers, as discussed, e.g. here:

FWIW, i think this can be derived from Joe's article as well.  also,
anyone configuring BIND should see Rob Thomas' _Secure BIND Template_,

http://www.cymru.com/Documents/secure-bind-template.html

everything discussed here relating to BIND configuration (and more) is
covered there.

i'd also like to point out that the title of this thread is a bit
misleading, or at least not 100% accurate wrt the suggestions being given.
yes, we can arrive at a relatively secure DNS implementation using BIND or
other alternatives...  however, even with a secure implementation, h4x0rz
can 'steal name server resources'; if you have a resolver (recursive or
not) attached to the public Internet, it can be bombarded with queries.
that, like many forms of 'legitimate use', is 'steal[ing] ... resources'
and can't be easily avoided (only mitigated). ;)  it's also one of the
more frequent things i see reported on mailing lists these days...
particularly thanks to M$.

-mrh

--
From: "Spam Catcher" <spam-catcher@...pt.org>
To: spam-catcher@...pt.org
Do NOT send email to the address listed above or
you will be added to a blacklist!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ