DNS Security (was: RE: [SunRescue] hosts file And DNS files??)

[Greg A. Woods]

[ On Friday, May 25, 2001 at 18:12:25 (-0700), James Lockwood wrote: ]
> Subject: Re: DNS Security (was: RE: [SunRescue] hosts file And DNS files??)
>
> When you have a network of SunOS 4 systems receiving hostname resolution
> from a SunOS 4 YP master and you can't get access to these systems to
> tweak the system resolver, you need a BIND 4 caching nameserver to point
> the master to.  I ran into this problem frequently during BIND 8 rollout.
> There's a resolver bug I filed with Sun that was specifically rejected at
> the time because at the time no Sun product shipped with BIND 8 (this was
> in the days of 2.6).  After 7 was released I refiled it, it was then swept
> under the rug when SunOS 4 support was totally discontinued.

Although I know not of what you speak I'll bet there are other fixes for
that bug which would allow you to use any caching nameserver (maybe even
djbdns!)....  I've never run a YP server (beyond an experiment), but I
have run DNS in front of one and I don't recall there being anything
unique or different about queries coming from the resolver library on a
YP server than from any other SunOS-4 box without YP in the way.  Any
nameserver should be able to answer them just as well as any other.

(I'm assuming you can't get at the YP master host either, and that the
nameserver is indeed *not* running on that host....)

Of course even with a firewall such hosts are sitting ducks since if
they need to use public DNS then they're probably making connections
back out to the public network and thus are likely vulnerable to any
number of different types of attacks.  Best just turn them off and start
fresh anyway.  :-)

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods at acm.org>     <woods at robohack.ca>
Planix, Inc. <woods at planix.com>;   Secrets of the Weird <woods at weird.com>