Re: BIND Nuking

[robert () cyrus watson org (Robert Watson)]

On Mon, 28 Jul 1997, Steinar Haug wrote:

> > zone "my.net"
> > {
> >  type master;
> >  file "my.net.zon";
> >  allow-update { 1.2.3.4; 127.0.0.1; };
> > };
>
> Why don't you try it out?
>
> The answer: If the update comes from a host not on the access list, it
> will be rejected, and the attempt will be logged, like this:
>
> Jul 28 19:29:41 verdi named[2118]: unapproved update from [195.1.171.130].1594 for netsafe.no
>
> Putting 127.0.0.1 in such an access list is probably not a good idea,
> for what should be obvious reasons.

However, you need to make sure you have a packet filter in place on your
router/firewall, or people can spoof update packets.  This presents some
interesting and wonderful security issues concerning any hosts on the
inside of your security perimeter.  Until the bug is fixed, update should
definitely be disabled from any host.

> > If the answer is Yes, this could be very dangerous, every BIND 8.1.x
> > compiled with ALLOW_UPDATES will be vulnerable, even if you don't have
> > access to modify zones.
>
> The answer is no. Also, by default, no updates are allowed. It's only
> if "allow-update" *and* a suitable access list is included in the named
> configuration file that you'll be able to trigger this bug - and then
> only from the host(s) mentioned in the access list.
>
> It's still a bug, and needs to be fixed. But there's no reason to be
> overly worried - of the sites running bind 8 I'd guess that only a very
> small fraction have configured named to accept updates.

As concluded above, an adequate ACL may not be adequate without a good
packet filter and security policy.  :)


  Robert N Watson

Junior, Logic+Computation, Carnegie Mellon University  http://www.cmu.edu/
Network Security Research, Trusted Information Systems http://www.tis.com/
Network Administrator, SafePort Network Services  http://www.safeport.com/
robert () fledge watson org   rwatson () tis com  http://www.watson.org/~robert/