Firewall Wizards mailing list archives
RE: Does blocking TCP DNS packets keep your Bind safe?
From: "Loomis, Rip" <GILBERT.R.LOOMIS () saic com>
Date: Thu, 15 Mar 2001 18:37:33 -0500
Ladies and Gentlemen: ISC has *not* "proven that they are incapable of secure coding". BIND 8.latest and *all* versions of BIND prior to BIND 9 are a conglomeration of contributed code which just kept adding problems onto an original graduate student weekend hack. I respect Paul Vixie and the folks who have kept BIND going up to this point a *lot*, but the bottom line is that the code has...issues. Most of the recent BIND vulnerabilities have been related to the proof-of-concept DNSSEC code that was added into BIND 8, which perhaps didn't get enough review before its inclusion. The fix, however, is in general *not* to run djb's latest DNS server which implements only those standards which he personally believes in, any more than sendmail was made obsolete by qmail. qmail is a great solution for a lot of people, but I personally use postfix or postfix-tls on all of our systems...because djb makes decisions based on his knowledge and experience which are *not* correct in my environment. postfix on the other hand allows me to migrate from sendmail to something which is flexible yet supports certain essential security functions, and for which I have much higher confidence in the codebase (with due respect to Eric Allman and the sendmail crew). So what's the fix for DNS? Run BIND 9. The only reason it's still called BIND is because the organizations that funded the development had agreed to fund "the next version of BIND"...but BIND 9 is a complete rewrite from scratch to match the existing RFCs and APIs...including programming by contract, regression testing, and good software engineering. I'm sure that there will be issues and bugs with BIND 9 as there are with any large and capable piece of software, but tarring BIND 9 with the "BIND is insecure" brush is unfair and implies that people haven't done their homework. Meanwhile, djbdns or whatever it's called today doesn't support DNSSEC and doesn't look likely to...and I don't agree with djb's opinion that DNSSEC is pointless. I will therefore continue to test and field BIND 9. And yes, we're going to field it chroot'd and running as a non-root user. Rip Loomis Voice Number: (410) 953-6874 -------------------------------------------------------- Senior Security Engineer Center for Information Security Technology Science Applications International Corporation http://www.cist.saic.com
-----Original Message----- From: Darren Reed [mailto:darrenr () reed wattle id au] Sent: Tuesday, March 13, 2001 4:57 PM To: todd () unm edu Cc: ben.nagy () marconi com au; firewall-wizards () nfr net Subject: Re: [fw-wiz] Does blocking TCP DNS packets keep your Bind safe? In some email I received from Todd, sie wrote:ben, all, i have to agree with this sentiment. because of thewell-known "inboundtraffic problem" that i believe marcus identified and certainly has described most adequately, it is necessary to allow some traffic in through a firewall, if we want to offer any network-basedservices. thattraffic should be directed to a secure service running on a well-administered machine. dns is certainly one of the services we want to offer.since the ISC haveproven that they are incapable of secure coding, we should look at alternatives. thankfully, there is one: djbdns from danbernstein issecure, extremely fast, and easy to set up and administer.i'd encourageanyone who cares about security and understands the inbound traffic problem to seriously consider it.I think you're taking too hard a line on the ISC there. BIND is written in C and for better or worse, C is *HARD* to program in a secure and safe manner, especially when you have an application as large and complex as BIND is. The only way to run applications, such as BIND, is as non-root and in a chroot'd environment. BIND makes it rather easy to do this. Maybe sendmail and BIND need to be rewritten in java ? ;) Darren _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Does blocking TCP DNS packets keep your Bind safe?, (continued)
- RE: Does blocking TCP DNS packets keep your Bind safe? Ben Nagy (Mar 11)
- Re: Does blocking TCP DNS packets keep your Bind safe? Luca Berra (Mar 13)
- RE: Does blocking TCP DNS packets keep your Bind safe? Todd (Mar 13)
- Re: Does blocking TCP DNS packets keep your Bind safe? Darren Reed (Mar 14)
- Re: Does blocking TCP DNS packets keep your Bind safe? Todd (Mar 14)
- Re: Does blocking TCP DNS packets keep your Bind safe? Darren Reed (Mar 14)
- RE: Does blocking TCP DNS packets keep your Bind safe? Ben Nagy (Mar 11)
- RE: Does blocking TCP DNS packets keep your Bind safe? Todd (Mar 16)