nate wrote:
John Hinton wrote:
Do I just ask really hard questions or are my questions just not clear?
There has to be others on this list that are running nameservers via
CentOS. This seems to be a nasty issue that we who are running bind need
to get right.
And the fix is really stupid for those running name servers behind firewalls.
I can't say I'm an expert on this particular issue but from what I've
read it seems like the attack depends on being able to send queries to
the name server in question in order to predict the IDs that the system
is generating.
The way my DNS is setup at home is that I have 2 "external" name servers
that do not allow recursion for domains that they are not responsible
for other than for a couple trusted IPs(all of which are local). My
main caching name server is internal to my network and cannot be directly
queried from the internet. As such I think my exposure is pretty low.
All of my name servers are setup to force their source port to be 53,
I really really don't like the idea of opening up tens of thousands of
ports back to my name servers.
So I suspect, if your caching name servers are only vulnerable if they
can be sent queries from the attacker. If your internal network is
trusted then I think your fairly safe as long as you don't allow
access to the caching name servers externally. And of course run
dedicated name servers for authoritative hosting.
I plan to have a similar setup at my company, the external authoritative
servers are not behind a firewall(F5 Global traffic managers), the
internal ones are not accessible outside the network. DNS cache
poisoning is the least of my worries if an attacker has access to the
internal network.
nate
I'm running caching nameservers on almost all of my systems and then
also three nameservers. All are available publicly. I too had hard coded
bind to port 53. I also had specifically opened port 53 through the
firewall. But now, it appears that using only port 53 is a bad thing.
From what I read, both the port and the ID need to change to be secure
(even this is just security through obscurity). It's sounding like I'll
need to open a port range, but I don't know what a 'good practice' will be.
I read through the redhat notes, googled and read all over the place.
All I seem to find is to remove the named.conf line that forces bind
through port 53 and then statements like 'your firewall will need to be
adjusted accordingly', with no good suggestions for how to do this.
So, I'm faced with turning off the firewall to show good external
testing on bind.... sort of like unlocking every window and door to a
house, in order try to keep someone from trying to open just one.
John Hinton
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
