Forgot to forward it to the list....
> -----Original Message-----
> From: Hiemstra, Brenno
> Sent: donderdag 10 mei 2001 11:08
> To: 'Chris Keladis'
> Subject: DNS spoofing ( was RE: DNS cannot contact Root Servers)
>
> Chris,
>
> for DNS poisoning you can protect yourself by don't allowing any dynamic
> updates.
>
> allow-update { none; };
>
> in your named.conf.
>
> and spoofing is just enable anti spoof rules on your routers,
> firewalls, etc etc etc
>
> If you only allow recursion of a few trusted hosts and your anti-spoofing
> rules are well put up then DNS spoofing is very hard to get it working
> because you only recurse and cache for a few trusted hosts or this is
> done on purpose (from those trusted hosts).
>
> You can't do much if the internet hosts (name server you query for a
> domain name)
> isn't sending the right information to your query (for domains you don't
> host on your
> DNS servers).
>
> An internet host or untrusted host should not be able to poison your DNS
> cache for
> internet domains you host if you set the anti-spoof rules up right.
>
> If and attacker is impersonating an internet nameserver by predicting
> Query ID's
> is something that is hard to protect to.
>
> I think this is a good protection against DNS spoofing. But it also
> depends on the
> network / situation of your own. On every implementation everone has it's
> own thoughts
> and this is one that I have about this subject
>
> Regards,
>
> Brenno
>
>
> -----Original Message-----
> From: Chris Keladis [SMTP:[EMAIL PROTECTED]]
> Sent: donderdag 10 mei 2001 11:25
> To: Hiemstra, Brenno; Brooks Carlson
> Cc: 'Firewalls (E-mail)
> Subject: RE: DNS cannot contact Root Servers
>
> At 09:44 AM 5/10/01 +0200, Hiemstra, Brenno wrote:
>
> >You can configure your outside DNS servers (if you are using BIND)
> >to allow recursion from a couple of trused hosts.
> >
> >In the named.conf file just put the following entry:
> >
> >allow-recursion { ip_addresses_trusted_hosts; };
> >(or if the list is getting pretty long then build a simple acl)
>
>
> Call me paranoid, but DNS being (mostly) UDP based, worries me someone can
>
> spoof a query to make it past your ACLs, they can effectively make your
> DNS
> perform a recursive lookup (remember, to poison a cache you don't need to
> see the reply, you only need to be able to make the request)
>
> I prefer to turn it off completely and supply servers dedicated to
> recursively answer for hosts which have extra protection than the simple
> ACLs in BIND (namely, (good) statefull inspection firewalls.)
>
> (I read somewhere in PIXs statefull inspection of DNS, it allows the first
>
> correct reply back in, whereas FW-1 allows (matching) return packets for a
>
> time period defined in the rulebase properties, for UDP)
>
> Either methods work just fine, it all depends how paranoid you are :^)
>
>
>
>
> Regards,
>
> Chris.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
