[337] in athena10
Re: Caching DNS for Athena 10
daemon@ATHENA.MIT.EDU (Jonathon Weiss)
Mon Jul 28 18:27:40 2008
Message-Id: <200807282226.m6SMQscg025965@speaker-for-the-dead.mit.edu>
From: Jonathon Weiss <jweiss@MIT.EDU>
To: Kevin Chen <kchen@MIT.EDU>
cc: ghudson@MIT.EDU, athena10@MIT.EDU
In-reply-to: Your message of "Mon, 28 Jul 2008 16:43:23 EDT."
<alpine.DEB.1.10.0807281629200.6462@vinegar-pot.mit.edu>
Date: Mon, 28 Jul 2008 18:26:54 -0400
> On Mon, 28 Jul 2008, ghudson@MIT.EDU wrote:
>
> > 3. (Optional) Configure the caching resolver to listen only to 127.0.0.1
> > 4. (Optional) Configure the caching named to forward to MIT name servers
>
> > (3) is a simple configuration tweak to either package; the question is
> > whether we want to do it. If the cache is accessible from the
> > outside, it is perhaps easier to compromise since you can force the
> > cache to perform a DNS query on demand; on the other hand, that's
> > often not difficult to do through other means. Having the cache
> > accessible from the outside does make it easier to scan for
> > vulnerability.
>
> It also protects you in case any vulnerabilities in BIND happen to
> surface. If the only reason for listening externally is to scan for
> vulnerabilities, you should have that information already by getting the
> list of packages on the machine with athinfo, assuming that still exists
> in Athena 10. Doing whatever DNS queries you want is also much easier
> than getting a user to load a web page or something pointing to the
> desired name.
>
> Open recursion also allows random attackers to use your system to perform
> denial of service attacks from the system.
>
> Googling finds these documents, which might be useful:
> http://www.ietf.org/internet-drafts/draft-ietf-dnsop-reflectors-are-evil-05.txt
> http://www.afnic.fr/actu/nouvelles/general/NN20060404_en
> http://www.isotf.org/news/DNS-Amplification-Attacks.pdf
> http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf
In fact, we switched to this configuration for bind on athena,
primarily at my request, to protect ourselves from holes in bind.
> > 5. (Optional) Configure the search path to mit.edu
I use this on a daily basis, but I'm known not to be a good sample
set. Given the number of people using dhcp with their laptops I
suspect they're used to having to use FQDNs. OTOH, they may be less
tolerant of that for machines actually at MIT.
Jonathon
