On Wed, 6 Mar 2002 19:04, Karl M. Hegbloom wrote: > [ The quoted email is dated last December... I hope nobody minds me ] > [ reviving the conversation. I'm catching up on a few mail groups. ]
OK, but I've trimmed the CC list. > >>>>> "Russell" == Russell Coker <[EMAIL PROTECTED]> writes: > > Russell> On Sun, 30 Dec 2001 16:17, Jor-el wrote: > >> On Sun, 30 Dec 2001, Russell Coker wrote: > >> > Also don't allow recursion from outside machines. > >> > >> Why does this help? [snip my description of the classic cache poisoning attack] > {Internal network}----[firewall/gateway router]-+----{Internet} > > +---[Nameserver] > > The nameserver is configured to allow recursive queries only from > hosts coming from inside, through the firewall/gateway router (Linux > 2.4 w/iptables). What if someone on the internal network trys to > poison the DNS like this? They could be a student on a school > network, a contract employee, a misbehaving full timer, or whatever. That is a problem. Also there's a problem if they send you email and doing a reverse lookup of the origin IP address, resolving the header address as part of spam filtering, or looking up the MX record for a bounce results in a DNS query to a poisoning server. > To prevent that, you should have some sort of egress filtering on > the firewall router, to prevent DNS replies (spoofed) from being > sent out through the gateway. > > That still does not prevent them from logging into an outside host > they own -- their home computer, a co-located machine someplace out > on the net -- and sending the spoofed responses from there. That's right. > My question is; is this scenario possible, and is there any way to > prevent it from occuring? Get your name server to only accept replies to your exact queries and no extra data. I'm not sure which DNS servers support this. > Russell> iptables/ipchains blocks access to port 53 from untrusted IPs > (IE everything Russell> outside your LAN or dialup pool). > > But then how will anyone on the network access your domain's primary > name server? Have a different instance of your name server process for primary zones than the one used for caching. That's standard policy on most large installations anyway, for performance if for nothing else. > But it's an inside job. By an expert. How do I win the chess game > then? Get a better name server that doesn'thave this flaw. -- If you send email to me or to a mailing list that I use which has >4 lines of legalistic junk at the end then you are specifically authorizing me to do whatever I wish with the message and all other messages from your domain, by posting the message you agree that your long legalistic sig is void. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]