[conspire] DNS vulnerability details
Rick Moen
rick at linuxmafia.com
Mon Jul 28 00:39:09 PDT 2008
Quoting Ruben Safir (ruben at mrbrklyn.com):
> so I'm going to remove the old SuSE name server and install from the
> bind site the latest Beta code.
Hmm, in general, you should go to upstream tarballs only as a last
resort. It's difficult to believe that there are no proper distro
packages for the recent BIND9 P1 updates on non-EoLed releases of SUSE
or any other Linux distro. So, why go to upstream if you don't have to?
There are disadvantages (http://linuxgazette.net/118/weatherwax.html#1).
If on the other hand there are _not_ timely security updates for a given
distro, then I'd suggest moving away from that distro.
> How much tinkering will I need to
> do with my named.conf file or the DNS records?
DNS records: None at all. If you follow what a caching
recursive-resolver nameserver is, the reason will be apparent: That's a
nameserver that is not itself purporting to be authoritative for any
domain. It knows about DNS reference records (RRs) only what it queries
from _other_ nameservers that are in the chain of authority for those
domains.
named.conf file: _Should_ be none at all. Be aware that, on many well
architected distros (**cough Debian cough**), the admin should never
need to touch the named.conf file itself, in any event: On such
distros, any site-specific options should be entered into a separate
file such as named.conf.options (which then is #include'd from
named.conf). Authoritative data if any, i.e., location of zonefiles,
typically goes into a separate #include file, such as named.conf.local.
Please see one of my earlier posts for suggestions about what should and
should not go into BIND9 options. To recap: 1. You want to carefully
avoid requiring BIND9 to originate queries from a fixed port (e.g., 53),
which fixed-port requirement can be done with a "query-source" line. 2.
You want to limit which IPs can send your nameserver recursive-queries,
using an "allow-recursioh" stanza -- which is probably there by default.
When in doubt, allow only 127.0.0.1 -- the loopback IP -- to send the
nameserver recursive queries.
Those _should_ already be set correctly by default; the above
explanation is just in case, and for your general knowledge.
More information about the conspire
mailing list