On Mon, Apr 1, 2013 at 1:30 PM, Michael H. Warfield mhw@wittsend.com wrote:
Actually, it's pretty easy with netfilter / iptables. Other firewalls like pf filter on *BSD an proprietary work similar. If you know your inside networks you merely add a rule to block incoming packets on your external interface with source addresses that should be inside your firewall.
What does 'inside' mean to TCP/IP? Are you saying it can't work if you are all public? Or if you expect to use redundant public routing among all of your systems?
Do we all drop BIND in favor of nscd for our authoritative name servers and dnsmasq for our cachers?
Well, first you have to come out and say that recursive resolvers are too fragile to survive in public. Or have too much potential for collateral damage and must be outlawed. Maybe define a way your network topology has to be arranged. Then move on to how BIND should be shipped.
I don't think that's the answer either. Establishing best practices and discouraging people from misconfiguring applications would seem to be a better option and best current practices now were not always considered best practices 20 years ago. It's a challenge. It's a BIG challenge in my business.
OK, but of course it is a challenge if you advocate using tools that most people don't have or understand - or don't work universally.
Asymmetric routes (aka triangular routing) should be severely discourage and is generally considered a configuration error unless it's heavily justified.
I don't think BGP shares this opinion. And I'd speculate that the simplicity of IP routing only needing to care about the forward route direction one hop at a time is the main reason that it became the network of choice. Well, that and a taxpayer funded directory service from the start.
They're highly unreliable to begin with (you can forget about getting through stateful firewalls). Where it can be justified, then static rules allow it will cover things in ways that attackers can not exploit.
So what you need to establish first is the location of the firewalls in respect to recursive servers.
Perhaps. But I'm not quite so sure where the bad design is or if it's merely a confluence of extremely powerful tools, like BIND, that can be used in a multitude of ways. I might agree with you more if the "bad design" you are referring to is the overall network design, architecture, and layout. I've seen plenty of well designed tools misused in badly designed networks.
So you envision an internet where it is impossible to reach a recursive resolver outside of your own organization's control?