Bugtraq mailing list archives
Re: Permitting recursion can allow spammers to steal name server resources
From: Mike Hoskins <mike () adept org>
Date: Wed, 10 Sep 2003 15:00:31 -0700 (PDT)
On Wed, 10 Sep 2003, Dan Harkless wrote:
On September 9, 2003, Chris Brenton <cbrenton () chrisbrenton org> wrote: [...]"DNS Cache Poisoning - The Next Generation" by by Joe Stewart, GCIH http://www.securityfocus.com/guest/17905[...]_Fixing the problem with Bind_
<snip>
allow-recursion {172.16.1.1, 10.0.0.0/8, 192.168.1.0/24;};As has been pointed out before, this still leaves you potentially open to cache poisoning if the attacker can spoof those addresses (and again, the attacker will need to be spoofing anyway, if attacking BIND 9).
luckily more providers have began properly filtering at ingress. granted, spoofing is still quite possible from a large percentage of IPv4 space.
The safest setup is to run authoritative nameservers on separate machines (or at least IPs) from caching recursive servers, as discussed, e.g. here:
FWIW, i think this can be derived from Joe's article as well. also, anyone configuring BIND should see Rob Thomas' _Secure BIND Template_, http://www.cymru.com/Documents/secure-bind-template.html everything discussed here relating to BIND configuration (and more) is covered there. i'd also like to point out that the title of this thread is a bit misleading, or at least not 100% accurate wrt the suggestions being given. yes, we can arrive at a relatively secure DNS implementation using BIND or other alternatives... however, even with a secure implementation, h4x0rz can 'steal name server resources'; if you have a resolver (recursive or not) attached to the public Internet, it can be bombarded with queries. that, like many forms of 'legitimate use', is 'steal[ing] ... resources' and can't be easily avoided (only mitigated). ;) it's also one of the more frequent things i see reported on mailing lists these days... particularly thanks to M$. -mrh -- From: "Spam Catcher" <spam-catcher () adept org> To: spam-catcher () adept org Do NOT send email to the address listed above or you will be added to a blacklist!
Current thread:
- Permitting recursion can allow spammers to steal name server resources Chris Brenton (Sep 10)
- Re: Permitting recursion can allow spammers to steal name server resources Mark Johnston (Sep 10)
- Re: Permitting recursion can allow spammers to steal name server resources Greg A. Woods (Sep 10)
- Re: Permitting recursion can allow spammers to steal name server resources Dan Harkless (Sep 10)
- Re: Permitting recursion can allow spammers to steal name server resources Mike Hoskins (Sep 10)
- Re: Permitting recursion can allow spammers to steal name server resources Devin Nate (Sep 15)