Mailinglist Archive: opensuse-security (343 mails)

< Previous Next >
RE: [suse-security] DNS/Bind setup
  • From: Boris Lorenz <bolo@xxxxxxx>
  • Date: Tue, 31 Jul 2001 11:25:27 +0200 (MEST)
  • Message-id: <XFMail.010731112527.bolo@xxxxxxx>

On 31-Jul-01 Stefan Eissing wrote:
> Since there are some real experts here and BIND is
> currently a topic, I have a question relating my setup:
>
> I have a firewall/router with two interfaces (well more
> router than firewall actually). Internal network runs
> on a 192.168.x.x network.
>
> The BIND daemon only listens on the internal interface,
> serving some internal zones and forwards all external
> lookups to a range of known servers.

Is this a pure forwarder (forward-only slave)? If so, it slightly increases
security but may be a problem if all of your forwarders are not reachable. But
that should not happen too frequently.

> It seems to me that my BIND is therefore unreachable for
> outside queries and that I do not have a security issue
> with it.

That depends ;) If you have any self-constructed packet filters in place
(ipchains, etc.) you should take a look at your dns-fw configuration and make
sure that you only allow udp/tcp communication between your net and your
forwarder's IPs. I've seen a couple of packet filter scripts which allow any
packets if they come from port 53/TCP (e. g. for zone transfers or tcp-answers
of queries if udp doesn't work). That way, you'd have a trust-relationship with
your forwarding dns servers which could be exploited with a little nifty
spoofing.

> On the other hand, that sounds to good to be true. So, if
> I'm wrong I'd be glad for any helpful comments on what
> I have missed and where possible security holes in this
> setup (BIND related) are.

If we dig a little more into the topic we could come up with some
cache-poisoning issues. If somebody in your networking neighborhood would set
up a dns/arp redirection, he/she could then inject false responses to your
queries into the cache of your dns, because the queries from your (internal)
dns to the (external) forwarders get masqu'ed at the gateway/router and are
permitted to flow back to the sender. However, this is a more general issue
concerning any nameserver and is not a problem specially related to internal
forwarding named's. For more info, take a look at
http://moon-lite.com/docs/DNS.html .

> best regards, Stefan

Jo,

---
Boris Lorenz <bolo@xxxxxxx>
System Security Admin *nix - *nux
---

< Previous Next >
References