question about bind9 from a clueless paranoid
I'm running Wheezy on several i386 boxes. Over the weekend I installed
bind9 and dhcp3-server on one of them. While starting to set up dynDNS, I noticed a comment in /etc/bind/named.conf.options (this is a file that had just been installed by the bind9 package): // ports to talk. See http://www.kb.cert.org/vuls/id/800113 I look at the page at the URL. It concerns poisoning of the DNS cache. Debian is listed as being vulnerable and my D-Link DI-604 as unknown vulnerability. The document dates from 2008, and my D-Link router was purchased in 2004. It seems serious to this somewhat clueless geezer so I decide to investigate further. But I can't find any information more recent than 2008 by googling. Surely there have been some more recent developments. What has happened? Surely something has happened, but I find nothing. -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 20110404131357.GC14745@big.lan.gnu">http://lists.debian.org/20110404131357.GC14745@big.lan.gnu |
question about bind9 from a clueless paranoid
On Mon, 04 Apr 2011 07:13:57 -0600, Paul E Condon wrote:
> I'm running Wheezy on several i386 boxes. Over the weekend I installed > bind9 and dhcp3-server on one of them. While starting to set up dynDNS, > I noticed a comment in /etc/bind/named.conf.options (this is a file that > had just been installed by the bind9 package): > > // ports to talk. See http://www.kb.cert.org/vuls/id/800113 > > I look at the page at the URL. It concerns poisoning of the DNS cache. > Debian is listed as being vulnerable It should not be vulnerable... at least wheezy: http://www.kb.cert.org/vuls/id/MIMG-7ECL6S > and my D-Link DI-604 as unknown > vulnerability. The document dates from 2008, and my D-Link router was > purchased in 2004. It seems serious to this somewhat clueless geezer so > I decide to investigate further. You can ask D-Link for a firmware update but I can guess the answer: " your product has been discontinued, please, update (aka: buy) to another supported one". BTW, none of my routers are listed there ;-( > But I can't find any information more recent than 2008 by googling. > Surely there have been some more recent developments. What has happened? > Surely something has happened, but I find nothing. I remember it was a very commented notice when it was disclosed (that was the Kaminsky's DNS bug, right?). Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: pan.2011.04.04.15.35.48@gmail.com">http://lists.debian.org/pan.2011.04.04.15.35.48@gmail.com |
question about bind9 from a clueless paranoid
On Mon, Apr 4, 2011 at 9:13 AM, Paul E Condon <pecondon@mesanetworks.net> wrote:
> I'm running Wheezy on several i386 boxes. Over the weekend I installed > bind9 and dhcp3-server on one of them. While starting to set up dynDNS, > I noticed a comment in /etc/bind/named.conf.options (this is a file > that had just been installed by the bind9 package): > > * * * *// ports to talk. *See http://www.kb.cert.org/vuls/id/800113 > > I look at the page at the URL. It concerns poisoning of the DNS cache. > Debian is listed as being vulnerable and my D-Link DI-604 as unknown > vulnerability. The document dates from 2008, and my D-Link router was > purchased in 2004. It seems serious to this somewhat clueless geezer > so I decide to investigate further. > > But I can't find any information more recent than 2008 by > googling. Surely there have been some more recent developments. > What has happened? Surely something has happened, but I find nothing. http://lists.debian.org/debian-security-announce/2008/msg00184.html -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: BANLkTinq0AVJ=pg0Ok1-9BBj6jJAFzXwww@mail.gmail.com">http://lists.debian.org/BANLkTinq0AVJ=pg0Ok1-9BBj6jJAFzXwww@mail.gmail.com |
question about bind9 from a clueless paranoid
On Mon 04 Apr 2011 at 07:13:57 -0600, Paul E Condon wrote:
> But I can't find any information more recent than 2008 by > googling. Surely there have been some more recent developments. > What has happened? Surely something has happened, but I find nothing. The problem you might face will not lie with bind9 but with your router. Source port randomization by the name server fixes cache poisoning attacks on it. However, it is highly likely your router de-randomises the queries due to NAT and PAT. Mine does and I do wonder whether any more modern device intended for home use does any better. Data are not readily available but it's not unlikely manufacturers see little to gain by altering their firmware, I came to the conclusion there was no risk to the server (unbound in my case) as long as the server was not answering queries from outside my network. Reassurance would be welcome but I'm pretty sure of that. Part of my testing was done at https://www.grc.com/dns/dns.htm First with my ISP's servers in /etc/resolv.conf and then replacing them with 127.0.0.1 and forwarding port 53 on the router to the machine running unbound. -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 20110404180551.GS7935@desktop">http://lists.debian.org/20110404180551.GS7935@desktop |
question about bind9 from a clueless paranoid
On 20110404_190551, Brian wrote:
> On Mon 04 Apr 2011 at 07:13:57 -0600, Paul E Condon wrote: > > > But I can't find any information more recent than 2008 by > > googling. Surely there have been some more recent developments. > > What has happened? Surely something has happened, but I find nothing. > > The problem you might face will not lie with bind9 but with your router. > Source port randomization by the name server fixes cache poisoning > attacks on it. However, it is highly likely your router de-randomises > the queries due to NAT and PAT. Mine does and I do wonder whether any > more modern device intended for home use does any better. Data are not > readily available but it's not unlikely manufacturers see little to gain > by altering their firmware, > > I came to the conclusion there was no risk to the server (unbound in my > case) as long as the server was not answering queries from outside my > network. Reassurance would be welcome but I'm pretty sure of that. > > Part of my testing was done at > > https://www.grc.com/dns/dns.htm Thanks for this! But there is a lot to read (and hopefully understand) One specific question: what is mean by 'unbound' in this context? > > First with my ISP's servers in /etc/resolv.conf and then replacing them > with 127.0.0.1 and forwarding port 53 on the router to the machine > running unbound. And again here? -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 20110406052447.GD14745@big.lan.gnu">http://lists.debian.org/20110406052447.GD14745@big.lan.gnu |
question about bind9 from a clueless paranoid
On Tue 05 Apr 2011 at 23:24:47 -0600, Paul E Condon wrote:
> On 20110404_190551, Brian wrote: > > I came to the conclusion there was no risk to the server (unbound in my > > case) as long as the server was not answering queries from outside my > > network. Reassurance would be welcome but I'm pretty sure of that. > > > > Part of my testing was done at > > > > https://www.grc.com/dns/dns.htm > > Thanks for this! But there is a lot to read (and hopefully understand) > One specific question: what is mean by 'unbound' in this context? Unbound is a DNS server; an alternative to BIND. > > First with my ISP's servers in /etc/resolv.conf and then replacing them > > with 127.0.0.1 and forwarding port 53 on the router to the machine > > running unbound. > And again here? Forwarding on the router isn't necessary to test the affect the router has on Source Port Randomness. Check /etc/bind/named.conf to ensure there is no forwarding of DNS requests to another resolver. Edit resolv.conf to use only 'nameserver 127.0.0.1'. Start BIND. http://entropy.dns-oarc.net/test/ is quicker than grc.com to return a test result. You'll likely get a rating of POOR but, assuming queries from the internet are not served, your DNS cache cannot be poisoned because there is no access to it from the outside. -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 20110406111404.GU7935@desktop">http://lists.debian.org/20110406111404.GU7935@desktop |
question about bind9 from a clueless paranoid
On 20110406_121404, Brian wrote:
> On Tue 05 Apr 2011 at 23:24:47 -0600, Paul E Condon wrote: > > > On 20110404_190551, Brian wrote: > > > I came to the conclusion there was no risk to the server (unbound in my > > > case) as long as the server was not answering queries from outside my > > > network. Reassurance would be welcome but I'm pretty sure of that. > > > > > > Part of my testing was done at > > > > > > https://www.grc.com/dns/dns.htm > > > > Thanks for this! But there is a lot to read (and hopefully understand) > > One specific question: what is mean by 'unbound' in this context? > > Unbound is a DNS server; an alternative to BIND. OK, it's a pun ;-). Clueless I am. > > > > First with my ISP's servers in /etc/resolv.conf and then replacing them > > > with 127.0.0.1 and forwarding port 53 on the router to the machine > > > running unbound. > > And again here? > > Forwarding on the router isn't necessary to test the affect the router > has on Source Port Randomness. Check /etc/bind/named.conf to ensure there > is no forwarding of DNS requests to another resolver. Edit resolv.conf to > use only 'nameserver 127.0.0.1'. Start BIND. > To do this usefully, I have to first figure out how to configure my newly installed instance of BIND9. Correct? I don't think I'm there yet... > http://entropy.dns-oarc.net/test/ This gave me a passing grade on the dns resolver run by my ISP. But there was one duplicate port number in the sample of 25 trys. Maybe I should not worry, but I'm still curious about how the system actually works. Thanks for the pointer. Very fast. > > is quicker than grc.com to return a test result. You'll likely get a > rating of POOR but, assuming queries from the internet are not served, > your DNS cache cannot be poisoned because there is no access to it from > the outside. This contains information that's new to me. You seem to be saying that my copy of BIND on my computer is building its own internal cache. I don't see any reason why it couldn't contain a cache, but I haven't read anywhere that it actually *does* have a cache internally. Does it contain a cache? Thanks. -- Paul E Condon pecondon@mesanetworks.net -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 20110406182042.GA963@big.lan.gnu">http://lists.debian.org/20110406182042.GA963@big.lan.gnu |
question about bind9 from a clueless paranoid
On Wed 06 Apr 2011 at 12:20:42 -0600, Paul E Condon wrote:
> To do this usefully, I have to first figure out how to configure my newly > installed instance of BIND9. Correct? I don't think I'm there yet... If all you want to do is have named do lookups and cache the replies it works without changing the installed configuration, Forwarders can be designated in /etc/bind/named.conf.options. > This contains information that's new to me. You seem to be saying > that my copy of BIND on my computer is building its own internal > cache. I don't see any reason why it couldn't contain a cache, but I > haven't read anywhere that it actually *does* have a cache > internally. Does it contain a cache? The README.Debian mentions it. The cache kept in memory for a certain length of time. Run, for example, 'dig debian.net' twice and look at the Query Time. The second value should be close to 0 ms. -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 20110406221619.GV7935@desktop">http://lists.debian.org/20110406221619.GV7935@desktop |
| All times are GMT. The time now is 09:30 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.