|
At our March 2002 meeting, Cricket Liu of
Men & Mice
talked about security problems
with various DNS implementations, including BIND and an un-named
implementation still deployed and with security problems. He outlined
how cache poisoning works, and how DNS servers can be lured into
participating in denial-of-service attacks.
After discussing ISC's matrix of common BIND security flaws and
drawing the conclusion that running the most recent version of
Bind 8 (8.3.1 or 8.2.5) or Bind 9 (9.2.0) is a good idea,
Cricket went on to discuss how to make these servers even more secure.
Minimizing the number of services your DNS server provides and
filtering incoming and outgoing traffic is a start; having BIND
run in a chroot environment as a non-root user is even better.
With a server running in a secure environment, Cricket talked
about how to configure BIND itself to reduce the potential
for security flaws.
For the full details, consult Cricket's presentation
slides
(pdf 347K).
|
