nate wrote: > John Hinton wrote: > >> Do I just ask really hard questions or are my questions just not clear? >> There has to be others on this list that are running nameservers via >> CentOS. This seems to be a nasty issue that we who are running bind need >> to get right. >> > > And the fix is really stupid for those running name servers behind firewalls. > > I can't say I'm an expert on this particular issue but from what I've > read it seems like the attack depends on being able to send queries to > the name server in question in order to predict the IDs that the system > is generating. > > The way my DNS is setup at home is that I have 2 "external" name servers > that do not allow recursion for domains that they are not responsible > for other than for a couple trusted IPs(all of which are local). My > main caching name server is internal to my network and cannot be directly > queried from the internet. As such I think my exposure is pretty low. > All of my name servers are setup to force their source port to be 53, > I really really don't like the idea of opening up tens of thousands of > ports back to my name servers. > > So I suspect, if your caching name servers are only vulnerable if they > can be sent queries from the attacker. If your internal network is > trusted then I think your fairly safe as long as you don't allow > access to the caching name servers externally. And of course run > dedicated name servers for authoritative hosting. > > I plan to have a similar setup at my company, the external authoritative > servers are not behind a firewall(F5 Global traffic managers), the > internal ones are not accessible outside the network. DNS cache > poisoning is the least of my worries if an attacker has access to the > internal network. > > nate > > I'm running caching nameservers on almost all of my systems and then also three nameservers. All are available publicly. I too had hard coded bind to port 53. I also had specifically opened port 53 through the firewall. But now, it appears that using only port 53 is a bad thing. From what I read, both the port and the ID need to change to be secure (even this is just security through obscurity). It's sounding like I'll need to open a port range, but I don't know what a 'good practice' will be. I read through the redhat notes, googled and read all over the place. All I seem to find is to remove the named.conf line that forces bind through port 53 and then statements like 'your firewall will need to be adjusted accordingly', with no good suggestions for how to do this. So, I'm faced with turning off the firewall to show good external testing on bind.... sort of like unlocking every window and door to a house, in order try to keep someone from trying to open just one. John Hinton