On Wed, 5 Sep 2001, centipede wrote:
> I've been asking myself which way of doing DNS queries is more
> secure:
>
> 1. Putting your ISP's DNS servers in your resolv.conf file thus
> letting (in my case) Netscape 6.1 open many ephemeral UDP ports
> attaching mozilla-bin to them to do the DNS work.
>
> 2. Setup your own bind server and put a 127.0.0.1 in your
> resolv.conf, ending up with only a TCP port no. 53 open you would
> deny traffic to, and a more dangerous open UDP port no. 1025
> attached to named, that would receive my DNS replies back, and
> should stay unfiltered...
>
> (Oh, OS is Linux)
There are actually two separate issues here. They are:
1. Is it more secure to forward all queries to my ISP's DNS
servers, or to perform recursive queries myself?
2. Is it more secure to have replies from DNS servers be
processed by a dedicated local nameserver, or by my operating
system's standard C libraries?
The answer to #1 depends on your situation. If your ISP is really on
the ball when it comes to applying security patches, intelligent
firewalling, making sure their DNS servers are properly configured,
and so forth, then you might want to go ahead and forward all your
queries to them. If, on the other hand, you don't have great
confidence in your ISP (i.e., you think they're lax with security,
their DNS servers appear to be misconfigured, etc.), you might want to
just perform name resolution yourself.
Consider also that if you forward all requests to your ISP's
nameservers, and those namservers are exploited by an attacker, and
that attacker wants to use those nameservers to send malicious replies
in response to queries, you will be a far more tempting (and
vulnerable) target than random machines out on the Internet, because
you will be sending *all* of your DNS traffic to your ISP's
nameservers, and trusting the replies you receive back.
As for #2, it might be the case that if your local C resolver
libraries contained buffer overflows, an attacker could remotely
exploit any program on your system that resolved hostnames, by waiting
for you to query his malicious DNS server and sending the attack in
reply. If you are running your own local name server, then it would
receive all replies from foreign name servers. Which is more likely
to contain a security vulnerability? I don't know.
IMHO, since running a local caching-only nameserver is generally a
performance win, and the risks of doing so can be minimized, it's
generally a good idea. This is my setup:
1. My local caching-only namserver (bind 9.1.0) listens on the
loopback only, and recursively answers all queries itself. It
runs under its own uid/gid in a chroot() jail.
2. In terms of DNS traffic, using iptables, I only permit
incoming TCP/UDP packets that are part of established
connections, and I only permit outgoing packets that are new
connections and are headed to port 53 on the destination host.
--
James Ralston, Information Technology
Software Engineering Institute
Carnegie Mellon University, Pittsburgh, PA, USA
