STOCKMANN AUTOMATISERING

tel. +31 (0)76 7370198
fax. +31 (0)76 5714785
email. info@stockit.nl
web. http://www.stockit.nl/





Secure DNS

Voor DNS (Domain Name Service) op het UNIX/Linux platform wordt sinds de begin dagen van het Internet het open source software pakket BIND gebruikt afkomstig van het Internet Systems Consortium . In 1998 werdt voor het eerst een security bug gerapporteerd door ISC.org, waarbij een remote intruder root-level access kon verkrijgen tot de server die BIND 4.8 or 8 draaide. Deze zware bug werdt opgelost, maar regelmatig bleven er opnieuw problemen opduiken, totdat John Lasser van security focus schreef dat eigelijk de complete BIND implementatie maar moest worden herschreven "from scatch" of zelfs moest worden opgedoekt :

"Caught in a BIND"
http://theregister.co.uk/content/55/28235.html

Zijn grootste bezwaar tegen BIND was dat het standaard vulnerable was voor DNS Cache poisoning attacks. Ik was en ben het daar niet mee eens en schreef hem een email :



From stock@stokkie.net Fri Nov 22 07:17:41 2002 +0100
Date: Fri, 22 Nov 2002 07:17:41 +0100 (CET)
From: "Robert M. Stockmann" 
To: jon@lasser.org
Subject: simple bind 9.2.1 example
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: RO
X-Status:
X-Keywords:

Hi,

I just read your article

"Caught in a BIND"
http://theregister.co.uk/content/55/28235.html

Where you state the following :

"
If you're saddled with an old version, take heart. With the latest security
holes, the programs are vulnerable only when acting as recursive name
servers. In brief, this means that the holes only affect servers that can
look up any address on the Internet. Your name servers should not respond to
such requests from external addresses anyway: to do so opens the door to DNS
cache poisoning attacks. Your name servers should respond only to
authoritative requests from outside your network, and allow recursion only
within the network.

Sadly, most BIND configurations will allow recursion from any address --
that's the default configuration of BIND, another situation that the Internet
Software Consortium should resolve.

When the Internet was designed, nobody imagined swarms of thousands of
six-foot-tall jet-black stealth woodpeckers. Today they're here, and it's
time our architects took the woodpeckers into account.
"

Well allthough i agree with you, here's a example where DNS admins with
basic skills could easily generate and figure out how to make their
setups secure :

http://crashrecovery.org/named/

Your conclusion which states transitioning to bind 9 is painfull is IMHO
not true, but merely a matter of having accessable documentation with
usefull examples.

cheers,

Robert
-- 
Robert M. Stockmann - RHCE
Network Engineer - UNIX Consultant
crashrecovery.org  stock@stokkie.net


From jon@leapfrog.baltimorons.org Fri Nov 22 15:40:19 2002
Return-Path: 
Delivered-To: stock@stokkie.net
Received: (qmail 4671 invoked from network); 22 Nov 2002 15:40:16 -0000
Received: from leapfrog.baltimorons.org 
 (?fc5qMAgN9hsoYb//m/bihz5waTgrnFjw?@216.181.177.189)
  by stock.xs4all.nl with SMTP; 22 Nov 2002 15:40:16 -0000
Received: (from jon@localhost)
	by leapfrog.baltimorons.org (8.11.6/8.11.6) id gAMFfnN24404
	for stock@stokkie.net; Fri, 22 Nov 2002 10:41:49 -0500
Date: Fri, 22 Nov 2002 10:41:49 -0500
From: "J. Lasser" 
To: "Robert M. Stockmann" 
Subject: Re: simple bind 9.2.1 example
Message-ID: <20021122154148.GA24401@leapfrog.baltimorons.org>
References: 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: 
User-Agent: Mutt/1.3.99i
X-AntiVirus: scanned for viruses by AMaViS 0.2.2 (http://amavis.org/)
Status: RO
X-Status:
X-Keywords:

In the wise words of Robert M. Stockmann:

> Your conclusion which states transitioning to bind 9 is painfull is IMHO
> not true, but merely a matter of having accessable documentation with
> usefull examples.

It's painful for ISPs, like the one I worked at with 10,000 zone
records. Each of which was broken.

It's also painful if you have only ten or twenty zone records with
various errors and not a lot of time.

Thanks for your note --- it's always good to hear from readers!
Jon
--
Jon Lasser
Home: jon@lasser.org		|    Work:jon@cluestickconsulting.com
http://www.tux.org/~lasser/     |    http://www.cluestickconsulting.com
   Buy my book, _Think_Unix_! http://www.tux.org/~lasser/think-unix/


De conclusie was dat BIND 9.2.1 een moeizaam te configureren nameserver software product was. Echter BIND is wel open source, en het DNS Cache poisoning probleem had ik in een DNS configuratie voorbeeld heel simpel opgelost, door op de publieke DNS server recursie in DNS queries uit tezetten, maar op het interne netwerk moest men recursie juist toestaan, om over het Internet te kunnen surfen.

Inmiddels is Nederlands hosting markt behoorlijk opengebroken, en zelfs mensen thuis kunnen voor een eenvoudig bedrag per maand een ADSL verbinding inclusief vast ip-nummer aanschaffen. Door een aantal ADSL connecties te bundelen kan men heel simpel een distributed DNS , Web en Database netwerk over het Internet bouwen, in eigen beheer, waarbij DNS en HTTP de belangrijkste toepassingen zijn.




OS support: RedHat, SuSE, Debian, Mandrake, SCO, Solaris HW support: Intel, AMD, Sun, IBM Network: Cisco, 3COM, Nortel