Date: Fri, 11 Jul 2008 10:44:46 -0700 From: Doug Barton <dougb@FreeBSD.org> To: Jeremy Chadwick <koitsu@FreeBSD.org> Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>, Remko Lodder <remko@freebsd.org>, secteam@freebsd.org Subject: Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo] Message-ID: <48779C0E.2020807@FreeBSD.org> In-Reply-To: <20080711162913.GA55187@eos.sc1.parodius.com> References: <C49A67C5.1A0CBA%astorms@ncircle.com> <20080709204114.471A2F1835D@mx.npubs.com> <4876A3FE.1070407@FreeBSD.org> <200807111454.IAA18639@lariat.net> <20080711151228.GA52385@eos.sc1.parodius.com> <487782C5.7050703@clegg.com> <20080711162913.GA55187@eos.sc1.parodius.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Jeremy Chadwick wrote:
> The problem here is WRT network ACLs. The only solution is to bind BIND
> to a specific IP address and permit any outbound TCP or UDP traffic +
> any inbound TCP or UDP traffic to port 53.
Not quite any inbound traffic, named will pick a source port > 1024. In
the current beta versions there is an option to restrict the ports
chosen to a range.
I'm also not quite sure what kind of server you're talking about here.
If it's authoritative, then by definition you have to allow all inbound
traffic to port 53.
> Most network administrators
> I know of won't like that, as they deny all incoming *and* outgoing
> traffic, then apply permit ACLs. There's no "clean" or "strict" permit
> ACL, while with port XX, you can at least narrow down things UDP-wise a
> bit more.
False economy. The "danger" of allowing inbound UDP traffic is
infinitely less than the danger of having a recursive resolver's cache
poisoned. The new way of things would be to define those UDP ports that
run services other than named on the system, add those to the avoid-*
option(s) in named.conf, and block those ports at the firewall, leaving
everything else open.
Of course, almost any modern firewall should have keep-state
functionality for UDP, so all of this should be moot.
> I'll add that the stock src/etc/namedb/named.conf even advocates the use
> of query-source ...
It doesn't advocate, it gives an example. This is the reason I am
resistant to adding too many examples to our installed named.conf, it is
too easy for people to misinterpret them.
Doug
--
This .signature sanitized for your protection
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48779C0E.2020807>