bind8, libpcap, tcpdump

Dagmar d'Surreal dagmar at speakeasy.net
Mon Nov 18 12:05:36 PST 2002


On Thu, 2002-11-14 at 06:53, Dan Osterrath wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Although these packages are not listed in the BLFS book I wanna give a hint for everyone using these packages:
> 
> In bind 4 and bind 8 there are several vulnerabilities. 
> http://www.isc.org/products/BIND/bind-security.html
> http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21469
> http://www.cert.org/advisories/CA-2002-31.html

It's worth noting that to anyone who follows the principle of least
privlege to the letter when designing subsystems, their nameservers
would only be vulnerable to attack from network blocks which their
systems "trusted" enough to provide regular, recursive nameservice for.
For any of you running a caching nameserver at home, this means that you
should not have been vulnerable to this bug, provided your system was
configured properly.

For those of you who have no clue whatsoever what I'm talking about (and
your numbers are legion), it amounts to this...

...at the top of the named.conf, add an ACL (access control list) like:

acl nameservice-clients {
  127.0.0.1;
  10.1.1.1;
};

/* 127.0.0.1 being the machine itself, and 10.1.1.1 being a lonely
little desktop machine */

...and in the options section of the named.conf, we add:

        allow-query { nameservice-clients; };
        allow-recursion { nameservice-clients; };
        allow-transfer { nobody; };

The first line disables _all_ queries from anyone excepting addresses
and netblocks provided for in the ACL.  (If you don't know them, why are
you letting them query your server?)  The second line disables all
recursive queries (the type used by machines trying to get answers to
hostname-ish questions) excepting people listed in the
nameservice-clients ACL.

The third line globally disables zone transfers.  We don't allow zone
transfers to strangers because we don't allow zone transfers to
strangers.  (*ahem*)  We only allow zone transfers to servers that are
secondary servers for the domain in question.  For instance, if we
happened to be WEB.CADIWARE.CH, the first nameserver listed for
linuxfromscratch.net, the secondary nameserver we'd be feeding would be
CADIMAIN.CADIWARE.CH, which is 212.40.14.4.

At the top of our named.conf, we'd be adding a new ACL like this...

acl lfs-net-secondaries {
  212.40.14.4;
};

...we'd be using an ACL to globally disable zone transfers, and then
we'd have a zone entry that looked a bit like this...

zone "linuxfromscratch.net" {
        file "pri/linuxfromscratch.net";
        type master;
        notify yes;
	allow-transfer { lfs-net-secondaries; };
};



-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list