[conspire] Internet Privacy: today's vote and measures to take
Rick Moen
rick at linuxmafia.com
Mon Apr 3 13:32:22 PDT 2017
I wasn't going to get into this bit as it was a digression from the
upthread discussion, but I might as well cover it:
> My own preference for a better recursive-only package is Unbound, and my
> preference for an authorative-only package is NSD. To run both (as each
> wants to bind to port 53), I'll need to rearchitect just a little.
Having both recursive DNS and authoritative DNS served from the same
daemon on the same IP address is a kind-of lazy habit people get into by
default because BIND9 is capable of doing both. You adjust the ACLs
so that BIND9 accepts recursive queries only from _inside_ (trusted,
your) IP addresses, while leaving the ACLs for authoritative DNS open to
the public at large. The thing is, though, this has always been a bad
idea.
Recursive nameservice is subject to cache-poisoning attacks, and is very
security-sensitive to a much greater degree than is that authoritative
DNS that you are (or I should say may be) serving to the public. So,
you really want your recursive DNS to be on an isolated, protected
machine inside your security perimeter. The authoritative DNS needs to
be outward-facing. So, really, the best solution is to operate an
inside host running an recursive-only daemon (like Unbound), and a
separate authoritative-only daemon (like NSD) on a bastion host.
I am temporarily unable to do that for lack of a really reliable inside
services machine on my inside network. I really ought to fix this lack
by finding or bodging together a silent, low-power host like (say) an
Intel NUC. But I don't have one today.
Lacking that, I'm likely to have both Unbound and NSD on an
outside-network host with Unbound ACLed down to respond only to inside
IPs. Both want to bind to port 53. One way to have both running on a
single host is ip-aliasing, i.e., chew up another IP address to provide
an extra IP for Unbound to use, separate from the outside IP NSD uses.
Or, if your bastion host is dual-homed, bind Unbound to only the
inward-facing IP and NSD to only the outside one. (But my bastion host
isn't dual-homed in the current layout.)
Or, and this really is bodging things and not a really clean solution,
use dnsproxy.
http://linuxmafia.com/faq/Network_Other/dns-servers.html#dnsproxy
dnsproxy is is a proxy daemon that answers 53/tcp & 53/udp DNS
queries, and forwards the recursive and authoritative queries separately
so a pair of specialised daemons (e.g., NSD and Unbound, or tinydns and
dnscache) can handle each, but still only use a single public-facing IP
address. The two daemons accepting the forwards may be local or they
might be elsewhere (as in a firewall situation). Requires libevent. Runs
chrooted and unprivileged.
More information about the conspire
mailing list