[337] in athena10

home help back first fref pref prev next nref lref last post

Re: Caching DNS for Athena 10

daemon@ATHENA.MIT.EDU (Jonathon Weiss)
Mon Jul 28 18:27:40 2008

Message-Id: <200807282226.m6SMQscg025965@speaker-for-the-dead.mit.edu>
From: Jonathon Weiss <jweiss@MIT.EDU>
To: Kevin Chen <kchen@MIT.EDU>
cc: ghudson@MIT.EDU, athena10@MIT.EDU
In-reply-to: Your message of "Mon, 28 Jul 2008 16:43:23 EDT."
             <alpine.DEB.1.10.0807281629200.6462@vinegar-pot.mit.edu> 
Date: Mon, 28 Jul 2008 18:26:54 -0400

> On Mon, 28 Jul 2008, ghudson@MIT.EDU wrote:
> 
> >  3. (Optional) Configure the caching resolver to listen only to 127.0.0.1
> >  4. (Optional) Configure the caching named to forward to MIT name servers
> 
> > (3) is a simple configuration tweak to either package; the question is
> > whether we want to do it.  If the cache is accessible from the
> > outside, it is perhaps easier to compromise since you can force the
> > cache to perform a DNS query on demand; on the other hand, that's
> > often not difficult to do through other means.  Having the cache
> > accessible from the outside does make it easier to scan for
> > vulnerability.
> 
> It also protects you in case any vulnerabilities in BIND happen to 
> surface.  If the only reason for listening externally is to scan for 
> vulnerabilities, you should have that information already by getting the 
> list of packages on the machine with athinfo, assuming that still exists 
> in Athena 10.  Doing whatever DNS queries you want is also much easier 
> than getting a user to load a web page or something pointing to the 
> desired name.
> 
> Open recursion also allows random attackers to use your system to perform 
> denial of service attacks from the system.
> 
> Googling finds these documents, which might be useful:
> http://www.ietf.org/internet-drafts/draft-ietf-dnsop-reflectors-are-evil-05.txt
> http://www.afnic.fr/actu/nouvelles/general/NN20060404_en
> http://www.isotf.org/news/DNS-Amplification-Attacks.pdf
> http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf

In fact, we switched to this configuration for bind on athena,
primarily at my request, to protect ourselves from holes in bind.

> >   5. (Optional) Configure the search path to mit.edu

I use this on a daily basis, but I'm known not to be a good sample
set.  Given the number of people using dhcp with their laptops I
suspect they're used to having to use FQDNs.  OTOH, they may be less
tolerant of that for machines actually at MIT.

	Jonathon


home help back first fref pref prev next nref lref last post