On Wed, 10 Sep 2003, Dan Harkless wrote: > On September 9, 2003, Chris Brenton <cbrenton@chrisbrenton.org> wrote: > [...] > > "DNS Cache Poisoning - The Next Generation" by by Joe Stewart, GCIH > > http://www.securityfocus.com/guest/17905 > [...] > > _Fixing the problem with Bind_ <snip> > > allow-recursion {172.16.1.1, 10.0.0.0/8, 192.168.1.0/24;}; > As has been pointed out before, this still leaves you potentially open to > cache poisoning if the attacker can spoof those addresses (and again, the > attacker will need to be spoofing anyway, if attacking BIND 9). luckily more providers have began properly filtering at ingress. granted, spoofing is still quite possible from a large percentage of IPv4 space. > The safest setup is to run authoritative nameservers on separate machines > (or at least IPs) from caching recursive servers, as discussed, e.g. here: FWIW, i think this can be derived from Joe's article as well. also, anyone configuring BIND should see Rob Thomas' _Secure BIND Template_, http://www.cymru.com/Documents/secure-bind-template.html everything discussed here relating to BIND configuration (and more) is covered there. i'd also like to point out that the title of this thread is a bit misleading, or at least not 100% accurate wrt the suggestions being given. yes, we can arrive at a relatively secure DNS implementation using BIND or other alternatives... however, even with a secure implementation, h4x0rz can 'steal name server resources'; if you have a resolver (recursive or not) attached to the public Internet, it can be bombarded with queries. that, like many forms of 'legitimate use', is 'steal[ing] ... resources' and can't be easily avoided (only mitigated). ;) it's also one of the more frequent things i see reported on mailing lists these days... particularly thanks to M$. -mrh -- From: "Spam Catcher" <spam-catcher@adept.org> To: spam-catcher@adept.org Do NOT send email to the address listed above or you will be added to a blacklist!
