more on China DNS filters and collateral damage

[Dave Farber <dave () farber net>]

Delivered-To: dfarber+ () ux13 sp cs cmu edu
Date: Fri, 14 Nov 2003 22:38:13 +1100
From: Andrew Pam <xanni () glasswings com au>
Subject: Re: [IP] China DNS filters and collateral damage
To: Dave Farber <dave () farber net>

On Fri, Nov 14, 2003 at 06:11:19AM -0500, Dave Farber wrote:
> Many of these university DNS servers are the same ones used for
> recursive queries by the university's client hosts.

While this is the default for the widely deployed BIND nameserver,
it is a poor security practice.  My professional advice to the system
administrators would be to run resolving DNS servers on different
hosts than their authoritative nameservers, which would not only
alleviate the symptoms described but also reduce the vulnerability of
the authoritative nameservers from exposure to the systems authorised
to use them as resolvers.  (For example, DoS and cache poisoning
attacks.)  Furthermore, this may eliminate the requirement to connect
the authoritative nameservers to the internal network at all, thus also
reducing the risk of exposure to external attacks against the nameservers
- as indeed resulted in security breaches at many sites some years ago.

Regards,
        Andrew Pam
--
mailto:xanni () xanadu net                         Andrew Pam
http://www.xanadu.com.au/                       Chief Scientist, Xanadu
http://www.glasswings.com.au/                   Technology Manager, Glass Wings
http://www.sericyb.com.au/                      Manager, Serious Cybernetics 

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/