Re: DNS on the Firewall - security problem

[Adam Shostack <adam () homeport org>]

Alfred is absolutely right.  I forgot how little what I first wrote
references this; I've added a paragraph to make more clear that this
is not a real fix, but a temporary hack.

I'm working on a paper on the topic of DNS, and working on some kernel
hacks to allow a special user or group (other than root) to bind to
low numbered ports.  Another way to deal with the problem is to use a
packet filter that does port translation so that the DNS server can
live on a high numbered port (eg, 5353), and still appear to be on
port 53.  Both these allow you to run the DNS server as an unprivleged
user in a chroot jail.

Sorry, the kernel kludges are not available.

Adam


Alfred Huger wrote:
| 
| > there is no egg* to overflow and break a chroot.  Thus, if you don't
| > put CHROOT/bin/sh in place, the standard attacks will fail, but a
| > smart attacker can still get in.  In practicality, there are few smart
| > attackers.
| > 
| 
| It only takes *one* smart attacker with a subscription to Bugtraq and a
| predeliction to share his or her work. The l0pht (which you referanced) is
| a perfect example of this.  



-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume