DNS Security (was: RE: [SunRescue] hosts file And DNS files??)

Greg A. Woods rescue at sunhelp.org
Fri May 25 19:29:30 CDT 2001 

[ On Friday, May 25, 2001 at 17:08:13 (-0400), Loomis, Rip wrote: ]
> Subject: RE: DNS Security (was: RE: [SunRescue] hosts file And DNS files??)
>
> The only exception/comment is if you have interfaces that
> go up and down--with root privs BIND can attach (bind) to
> the new interfaces on its own as it sees them, but without
> root privs you need to stop and restart BIND.

true, but exceedingly rare (I know of exactly two mirrored machines in
production where this *might* be necessary, though strictly it is not).

> Note that few root/TLD servers run BIND with root privileges
> for this reason...but many home users (esp. Linux/Solaris)
> have dynamic IPs and may still choose to run it as root...
> or better yet put something in the ppp-up/ppp-down scripts
> to restart it.  (If I ever get a chance I'm going to
> submit a patch to Debian to fix this--last time I checked
> all their BIND packages still ran as root...)

Exactly.  If home users are running named as root for this kind of
reason then they deserve to go down in flames too.  The up/down scripts
are more than sufficient to control named.  (Of course I can't really
blame home users for doing as their vendors say, though obviously they
need to be taught to complain to their "vendors" and to look out for
silly but dangerous things like this.)

You can in fact get named to bind() to INADDR_ANY explicitly, at least
for UDP queries, with 'options { listen-on { "any" }; };', eg:

	udp        0      0  *.53                   *.*                   
	udp        0      0  127.0.0.1.53           *.*                   
	udp        0      0  204.92.254.199.53      *.*                   
	udp        0      0  204.92.254.16.53       *.*                   

I've not yet figured out how to make it do the same for TCP queries
though, nor do I even remember fully why it doesn't just use *.53 for
TCP in the first place (for UDP, yes, but why not TCP?)....

Personally if I had to deal with a dynamic address on my gateway I'd be
using two nameservers on the gateway, and only restarting the external
one on PPP "Up" or whatever DHCP trick was ncessary....

> Actually it's completely true to the best of my knowledge.
> The developers (now Nominum) did pick Paul's brain, but he
> didn't write any of the code.

(he did write a couple of the library routines that are used both inside
named and are in the resolver....)

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods at acm.org>     <woods at robohack.ca>
Planix, Inc. <woods at planix.com>;   Secrets of the Weird <woods at weird.com>

More information about the rescue mailing list