[plug] OT: latest worm affecting bind
Steve Vertigan
vertigan at bigfoot.com
Thu Mar 29 17:27:04 WST 2001
Mike Holland wrote:
> I have the UDP dns port open for receiving replies, as in the HOWTO.
>
> # Accept DNS answers on privileged port.
> ipchains -A input -j ACCEPT -i ppp+ -d 0/0 53 -p udp
>
> Is that safe? I closed it and bind still seems to work locally, presumably
> getting replies back over a TCP connection that my end opened.
>
> Why might I want the UDP port open, as given in the HOWTO example?
If I read that correctly you're allowing -incoming- connections to your
port 53, not a good idea if you're running a vulnerable bind daemon.
Later versions of bind, when making an outgoing connection will make it
on an unpriviledged port (ie 1024-65536ish) unless explicitly instructed
to use port 53 which would be why you can still do dns lookups with that
line removed. To be thorough you could only allow incoming connection
-from- port 53 and -to- an unpriviledged port although you probably want
the unpriviledge ports open for other services.
Also I don't know if anyone else has mentioned this yet but there is an
alternative to using bind at all, djbdns which can be found at
http://cr.yp.to/djbdns.html
It's by the same author as qmail and is to bind as qmail is to sendmail,
much smaller, more secure, more of a pain in the ass to set up, etc,
etc. Unless you're pretty gungho on dns it's possible you could come to
grief installing this on a production system (I did) just because it's
so different to bind in it's implementation and configuration but it
does have the same unclaimed $500 reward as qmail for the first person
to discover a security hole in it (lets see Bill Gates offer that).
Regards,
Steve
--
FreeBSD maelstrom.dyn.dhs.org 3.4-STABLE i386
5:10PM up 17 days, 53 mins, 2 users, load averages: 0.07, 0.05, 0.01
The state law of Pennsylvania prohibits singing in the bathtub.
More information about the plug
mailing list