On 31-Jul-01 Stefan Eissing wrote:
Since there are some real experts here and BIND is currently a topic, I have a question relating my setup:
I have a firewall/router with two interfaces (well more router than firewall actually). Internal network runs on a 192.168.x.x network.
The BIND daemon only listens on the internal interface, serving some internal zones and forwards all external lookups to a range of known servers.
Is this a pure forwarder (forward-only slave)? If so, it slightly increases security but may be a problem if all of your forwarders are not reachable. But that should not happen too frequently.
It seems to me that my BIND is therefore unreachable for outside queries and that I do not have a security issue with it.
That depends ;) If you have any self-constructed packet filters in place (ipchains, etc.) you should take a look at your dns-fw configuration and make sure that you only allow udp/tcp communication between your net and your forwarder's IPs. I've seen a couple of packet filter scripts which allow any packets if they come from port 53/TCP (e. g. for zone transfers or tcp-answers of queries if udp doesn't work). That way, you'd have a trust-relationship with your forwarding dns servers which could be exploited with a little nifty spoofing.
On the other hand, that sounds to good to be true. So, if I'm wrong I'd be glad for any helpful comments on what I have missed and where possible security holes in this setup (BIND related) are.
If we dig a little more into the topic we could come up with some cache-poisoning issues. If somebody in your networking neighborhood would set up a dns/arp redirection, he/she could then inject false responses to your queries into the cache of your dns, because the queries from your (internal) dns to the (external) forwarders get masqu'ed at the gateway/router and are permitted to flow back to the sender. However, this is a more general issue concerning any nameserver and is not a problem specially related to internal forwarding named's. For more info, take a look at http://moon-lite.com/docs/DNS.html .
best regards, Stefan
Jo, --- Boris Lorenz <bolo@lupa.de> System Security Admin *nix - *nux ---