Firewall Wizards mailing list archives
Re: DNS on the Firewall - security problem
From: Adam Shostack <adam () homeport org>
Date: Sun, 12 Oct 1997 01:41:38 -0400 (EDT)
Alfred is absolutely right. I forgot how little what I first wrote references this; I've added a paragraph to make more clear that this is not a real fix, but a temporary hack. I'm working on a paper on the topic of DNS, and working on some kernel hacks to allow a special user or group (other than root) to bind to low numbered ports. Another way to deal with the problem is to use a packet filter that does port translation so that the DNS server can live on a high numbered port (eg, 5353), and still appear to be on port 53. Both these allow you to run the DNS server as an unprivleged user in a chroot jail. Sorry, the kernel kludges are not available. Adam Alfred Huger wrote: | | > there is no egg* to overflow and break a chroot. Thus, if you don't | > put CHROOT/bin/sh in place, the standard attacks will fail, but a | > smart attacker can still get in. In practicality, there are few smart | > attackers. | > | | It only takes *one* smart attacker with a subscription to Bugtraq and a | predeliction to share his or her work. The l0pht (which you referanced) is | a perfect example of this. -- "It is seldom that liberty of any kind is lost all at once." -Hume
Current thread:
- Re: DNS on the Firewall - security problem Adam Shostack (Oct 10)
- Re: DNS on the Firewall - security problem Alfred Huger (Oct 10)
- Re: DNS on the Firewall - security problem Adam Shostack (Oct 12)
- Re: DNS on the Firewall - security problem Darren Reed (Oct 12)
- Re: DNS on the Firewall - security problem Perry E. Metzger (Oct 12)
- Re: DNS on the Firewall - security problem Aleph One (Oct 12)
- Re: DNS on the Firewall - security problem Gaddy Gumbao (Oct 13)
- Message not available
- Re: DNS on the Firewall - security problem Bernd Eckenfels (Oct 19)
- Re: DNS on the Firewall - security problem Adam Shostack (Oct 12)
- Re: DNS on the Firewall - security problem Alfred Huger (Oct 10)