Delivered-To: [EMAIL PROTECTED] Date: Fri, 14 Nov 2003 22:38:13 +1100 From: Andrew Pam <[EMAIL PROTECTED]> Subject: Re: [IP] China DNS filters and collateral damage To: Dave Farber <[EMAIL PROTECTED]>
On Fri, Nov 14, 2003 at 06:11:19AM -0500, Dave Farber wrote: > Many of these university DNS servers are the same ones used for > recursive queries by the university's client hosts.
While this is the default for the widely deployed BIND nameserver, it is a poor security practice. My professional advice to the system administrators would be to run resolving DNS servers on different hosts than their authoritative nameservers, which would not only alleviate the symptoms described but also reduce the vulnerability of the authoritative nameservers from exposure to the systems authorised to use them as resolvers. (For example, DoS and cache poisoning attacks.) Furthermore, this may eliminate the requirement to connect the authoritative nameservers to the internal network at all, thus also reducing the risk of exposure to external attacks against the nameservers - as indeed resulted in security breaches at many sites some years ago.
Regards,
Andrew Pam
--
mailto:[EMAIL PROTECTED] Andrew Pam
http://www.xanadu.com.au/ Chief Scientist, Xanadu
http://www.glasswings.com.au/ Technology Manager, Glass Wings
http://www.sericyb.com.au/ Manager, Serious Cybernetics
------------------------------------- You are subscribed as [EMAIL PROTECTED] To manage your subscription, go to http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/
