From owner-freebsd-security Sat Jan 29 8:58:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from moek.pir.net (moek.pir.net [209.192.237.190]) by hub.freebsd.org (Postfix) with ESMTP id 0208D14D15 for ; Sat, 29 Jan 2000 08:58:39 -0800 (PST) (envelope-from pir@pir.net) Received: from pir by moek.pir.net with local (Exim) id 12EbCd-0004ID-00 for freebsd-security@FreeBSD.ORG; Sat, 29 Jan 2000 11:58:27 -0500 Date: Sat, 29 Jan 2000 11:58:26 -0500 From: Peter Radcliffe To: freebsd-security@FreeBSD.ORG Subject: Re: Continual DNS requests from mysterious IP Message-ID: <20000129115826.B12465@pir.net> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <98581.949158146@verdi.nethelp.no> <200001291634.IAA36101@floozy.zytek.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <200001291634.IAA36101@floozy.zytek.com>; from mccord@zytek.com on Sat, Jan 29, 2000 at 08:34:49AM -0800 X-fish: < Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Samara McCord probably said: > point. Correct me if I'm wrong, but my DNS servers shouldn't ever have > to deliver the MX records for aol.com (or any domain for which I don't > serve), except to my own internal machines and for my own customers, right? Current security advice for nameservers; o upgrade to the latest version of bind8 o ensure the ndc control socket cannot be used by anyone but root or other users you don't mind getting root (problem on solaris) o run bind as a non-root user and possibly chrooted (standard options in recent bind8). o split your authorative and caching versions of named o turn off recursion and fetch-glue in the auth server so it cannot be poisoned o only allow access to your caching nameservers from your netblocks (by listening on an interface that cannot be reached from outside, filtering or by using allow-query {};) This brings named in line with how most services are run on the Internet these days - allow what you need to allow and no more. Applying this to your nameservers would stop these random people using you as a resolver or attacking (poisoning) your caches. I have a lot of people going off campus and leaving their resolver IP set to the tufts caches. The load and memory use of the main campus cache noticibly decreased when I applied allow-query to our netblocks. P. -- pir pir@pir.net pir@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message