[H-GEN] problems with accessing mail at bigpond

Robert Brockway robert at timetraveller.org
Sat May 4 08:27:05 EDT 2002


[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

On Sat, 4 May 2002, Greg Black wrote:

> | I certainly find having remote dns servers ready to answer queries useful
> | for diagnostics
> 
> Right now, I can't imagine a case where an open DNS server would
> be necessary for any diagnostics that I'd want to run, but maybe
> that's a failure of my imagination.

If I've delegated a domain recently, I might like to check how propogation
is going on remote servers. Granted within 48 hours it should have all
happened :)

I've had to deal with a number of bad dns setup done by other people and
I've found it useful to determine what view of the MX records a particular
remote dns server has.  Imagine dual masters with differing views of the
zone with no (or imcomplete) network diagrams.  Usually along the lines of
internal/external servers - but not a proper split dns.

> All the servers that I run are closed to outsiders and I find
> that is increasingly the case.

I'm certainly interested in your reasons behind it and will consider this
also if I beocme convinced :)
 
> | I'd be interested in any security issues relating directly to having
> | a dns server which will answer queries from any host.
> 
> There was a time when new BIND exploits came out regularly and

Indeed, but I don't think exploits are directly connected to what we are
talking about.

***WHAT***?!?!?! you say ... I shall explain :)

The way to stop exploits is to block port 53, not necessarily to block a
particular type of dns query.  I block AXFR from non-slaves as this
information might be used to obtain a hostname, valid IP, etc for a future
attack.  Almost all dns servers now block AXFR except from hosts that need
it.

If a server I'm running is authorative for a zone I'll need to leave port
53 open anyway thus I gain nothing by blocking external queries as the box
is open to the net anyway.

If I don't need to open port 53 I certainly won't.

I hope I was able to convey my meaning here.

Thinking about this I could envison a situation where an exploit was
directly related to the fact that queries were possible.  Even if queries
were blocked from outside (but the port was left open) you might still be
susceptible to spoofs, etc to compromise the system.  Has any exploit to
date been directly related to queries and no other dns function?

> in those days I kept a fake BIND server online to capture the
> attempts so that I could quantify them.  This is less true now

Good trick.

> than it was, but why open yourself to exploits when there's no
> need to provide this service?

A fair argument.

> It's not just a matter of security.  I resent providing services
> to people who aren't entitled to them -- if I run an open name

I understand this position also.

> server, I lose bandwidth to outside queries and I may cause my
> caches to be less effective for their intended users if those
> external queries force legitimate data out of the caches.

Cheers,
	-Rob

-- Robert Brockway B.Sc. email: robert at timetraveller.org  ICQ: 104781119
   Linux counter project ID #16440 (http://counter.li.org)
   blake: up 114 days, 20:49,  5 users,  load average: 1.01, 1.06, 1.02
   "The earth is but one country and mankind its citizens" -Baha'u'llah


--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/



More information about the General mailing list