Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 29 Jan 2000 11:58:26 -0500
From:      Peter Radcliffe <pir@pir.net>
To:        freebsd-security@FreeBSD.ORG
Subject:   Re: Continual DNS requests from mysterious IP
Message-ID:  <20000129115826.B12465@pir.net>
In-Reply-To: <200001291634.IAA36101@floozy.zytek.com>; from mccord@zytek.com on Sat, Jan 29, 2000 at 08:34:49AM -0800
References:  <98581.949158146@verdi.nethelp.no> <200001291634.IAA36101@floozy.zytek.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Samara McCord <mccord@zytek.com> probably said:
> point.  Correct me if I'm wrong, but my DNS servers shouldn't ever have
> to deliver the MX records for aol.com (or any domain for which I don't
> serve), except to my own internal machines and for my own customers, right?

Current security advice for nameservers;

  o upgrade to the latest version of bind8

  o ensure the ndc control socket cannot be used by anyone but root
    or other users you don't mind getting root (problem on solaris)

  o run bind as a non-root user and possibly chrooted (standard
    options in recent bind8).

  o split your authorative and caching versions of named

  o turn off recursion and fetch-glue in the auth server so it cannot
    be poisoned

  o only allow access to your caching nameservers from your netblocks
    (by listening on an interface that cannot be reached from outside,
    filtering or by using allow-query {};)

This brings named in line with how most services are run on the
Internet these days - allow what you need to allow and no more.

Applying this to your nameservers would stop these random people
using you as a resolver or attacking (poisoning) your caches.

I have a lot of people going off campus and leaving their resolver IP
set to the tufts caches. The load and memory use of the main campus
cache noticibly decreased when I applied allow-query to our netblocks.

P.

-- 
pir                  pir@pir.net                    pir@net.tufts.edu



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000129115826.B12465>