[SATLUG] open DNS Resolver

Brad Knowles brad at shub-internet.org
Mon Apr 13 14:39:15 CDT 2009


on 4/13/09 2:13 PM, Bruce Dubbs said:

>> <http://www.shub-internet.org/brad/papers/dnscomparison/>).
> 
> The PDF's are missing and the PPTs don't seem to work for me in Open 
> Office.

Well, it was 2002, and I was already very experienced in this field by 
that time -- I was a technical reviewer of 2nd edition of DNS & BIND. 
So, the tools I had available to me at the time have probably generated 
files that are no longer readable by modern programs.

I'll see if I can find local copies of the PDFs that I can re-upload, or 
find out where my provider may have moved things.

>> A quick search turned up more recent articles at 
>> <http://www.kb.cert.org/vuls/id/800113>, 
> 
> Bind was fixed over two years ago to cover this relatively exotic 
> vulnerability.  Just using a recent version of bind fixes it.

Go back and read that page again.  This is the Kaminsky vulnerability. 
This is the largest DNS vulnerability ever demonstrated on the Internet, 
and is not limited to just BIND -- plenty of other programs are also 
vulnerable.

This page has numerous links to other documents, pages, and 
vulnerabilities.  Two documents of particular interest that it links to 
are the CERT's own "Securing an Internet Name Server" (see 
<http://www.cert.org/archive/pdf/dns.pdf>), and the NIST's Special 
Publication 800-81 "Secure Domain Name System (DNS) Deployment Guide" 
(see <http://csrc.nist.gov/publications/nistpubs/800-81/SP800-81.pdf>).

Do not casually dismiss this one with a wave of your hand.

>> <http://www.seoconsultants.com/tools/dns/recursion/>.
> 
> Discusses the issues of someone who *wants* to run a public caching DNS 
> server.  Applies mostly to ISPs.

Don't casually dismiss this one, either.  They have lots of good links 
to vulnerabilities listed at us-cert.gov, as well as other articles that 
might be easier for less DNS-savvy people to understand.

Anyone who wants or needs to run a nameserver might benefit from reading 
many of those articles.

-- 
Brad Knowles
<brad at shub-internet.org>        If you like Jazz/R&B guitar, check out
LinkedIn Profile:                 my friend bigsbytracks on YouTube at
<http://tinyurl.com/y8kpxu>    http://preview.tinyurl.com/bigsbytracks


More information about the SATLUG mailing list