[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Permitting recursion can allow spammers to steal name server resources

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Permitting recursion can allow spammers to steal name server resources
From: Mike Hoskins <mike@xxxxxxxxx>
Date: Wed, 10 Sep 2003 15:00:31 -0700 (PDT)

On Wed, 10 Sep 2003, Dan Harkless wrote:
> On September 9, 2003, Chris Brenton <cbrenton@xxxxxxxxxxxxxxxx> wrote:
> [...]
> > "DNS Cache Poisoning - The Next Generation" by by Joe Stewart, GCIH
> > http://www.securityfocus.com/guest/17905
> [...]
> > _Fixing the problem with Bind_
<snip>
> > allow-recursion {172.16.1.1, 10.0.0.0/8, 192.168.1.0/24;};
> As has been pointed out before, this still leaves you potentially open to
> cache poisoning if the attacker can spoof those addresses (and again, the
> attacker will need to be spoofing anyway, if attacking BIND 9).

luckily more providers have began properly filtering at ingress.  granted,
spoofing is still quite possible from a large percentage of IPv4 space.

> The safest setup is to run authoritative nameservers on separate machines
> (or at least IPs) from caching recursive servers, as discussed, e.g. here:

FWIW, i think this can be derived from Joe's article as well.  also,
anyone configuring BIND should see Rob Thomas' _Secure BIND Template_,

http://www.cymru.com/Documents/secure-bind-template.html

everything discussed here relating to BIND configuration (and more) is
covered there.

i'd also like to point out that the title of this thread is a bit
misleading, or at least not 100% accurate wrt the suggestions being given.
yes, we can arrive at a relatively secure DNS implementation using BIND or
other alternatives...  however, even with a secure implementation, h4x0rz
can 'steal name server resources'; if you have a resolver (recursive or
not) attached to the public Internet, it can be bombarded with queries.
that, like many forms of 'legitimate use', is 'steal[ing] ... resources'
and can't be easily avoided (only mitigated). ;)  it's also one of the
more frequent things i see reported on mailing lists these days...
particularly thanks to M$.

-mrh

--
From: "Spam Catcher" <spam-catcher@xxxxxxxxx>
To: spam-catcher@xxxxxxxxx
Do NOT send email to the address listed above or
you will be added to a blacklist!

References:
- Re: Permitting recursion can allow spammers to steal name server resources
  - From: Dan Harkless

Prev by Date: Re: MSIE->HijackClick: 1+1=2
Next by Date: CERT Advisory CA-2003-23 RPCSS Vulnerabilities in Microsoft Windows
Previous by thread: Re: Permitting recursion can allow spammers to steal name server resources
Next by thread: Re: Permitting recursion can allow spammers to steal name server resources
Index(es):
- Date
- Thread