Interesting People mailing list archives
more on China DNS filters and collateral damage
From: Dave Farber <dave () farber net>
Date: Fri, 14 Nov 2003 06:51:12 -0500
Delivered-To: dfarber+ () ux13 sp cs cmu edu Date: Fri, 14 Nov 2003 22:38:13 +1100 From: Andrew Pam <xanni () glasswings com au> Subject: Re: [IP] China DNS filters and collateral damage To: Dave Farber <dave () farber net> On Fri, Nov 14, 2003 at 06:11:19AM -0500, Dave Farber wrote: > Many of these university DNS servers are the same ones used for > recursive queries by the university's client hosts. While this is the default for the widely deployed BIND nameserver, it is a poor security practice. My professional advice to the system administrators would be to run resolving DNS servers on different hosts than their authoritative nameservers, which would not only alleviate the symptoms described but also reduce the vulnerability of the authoritative nameservers from exposure to the systems authorised to use them as resolvers. (For example, DoS and cache poisoning attacks.) Furthermore, this may eliminate the requirement to connect the authoritative nameservers to the internal network at all, thus also reducing the risk of exposure to external attacks against the nameservers - as indeed resulted in security breaches at many sites some years ago. Regards, Andrew Pam -- mailto:xanni () xanadu net Andrew Pam http://www.xanadu.com.au/ Chief Scientist, Xanadu http://www.glasswings.com.au/ Technology Manager, Glass Wingshttp://www.sericyb.com.au/ Manager, Serious Cybernetics
------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on China DNS filters and collateral damage Dave Farber (Nov 14)