More on the DNS/BIND Problems...and one solution...

J.L.Francois jlf@magusnet.gilbert.az.us
Tue, 30 Jan 2001 20:01:00 -0700 

Since I am still unemployed I seem to have a lot more free time on my hands to
test out new stuff.

For those of you that are scrambling to fix systems because of the latest round
of BIND bugs, here is something I have just deployed that you might find useful
before the script kiddies head your way.
( You are fixing your systems, right?? Or are you playing the "there are lots of 
systems on the Internet so I wont get cracked" game??? )

First read these:
http://www.cert.org/advisories/CA-2001-02.html
http://www.isc.org/products/BIND/bind-security.html

Ok...you should be wide awake now.

I currently have 3 domains:
magusnet.com
magusnet.gilbert.az.us
francois.gilbert.az.us

All are being served by the nameserver on the firewall which is a forwarder
host for my Internal machines which are all on private RFC1618 space.

Problem:
I was running BIND on the firewall but that is a bad thing in light
of the latest issues.
However, I need to have a visible nameserver to resolve my domains
for external lookups that is not connected to my internal DNS config.


So after a little work ( 2 hours ) I set up a system so that my internal
OpenBSD DJBDNS servers are now authorative for my domains and I have a 
proxy port running on the firewall that listens for requests on 
UDP Port 53.

This accomplishes a few things.

I am now running DJBDNS exclusivly on OpenBSD 
Sparc systems internally for all DNS: http://cr.yp.to/djbdns

I can now arbitrarily point to any internal hosts for DNS resolution
independant of the firewall by modifying the Proxy config and sending
a HUP signal. My IDS is integrated into my proxy software to watch activity.

By default Zone Transfers are disabled without any fancy directives in a conf file.
Later on when I feel like it I can put the DJBDNS cache server on the firewall
but I am in no rush to do it right now.

No matter which of the domains I have are looked up, all SOA records
will look like magusnet.com zone files to accomplish configuration masking.

Its fast!! I configured the proxy to spawn 32 processes to handle DNS requests
and its better than it ever was for speed on a Pentium 133 with 64MB RAM.

So, it looks like BIND is dead at MagusNet, Inc. for the time being.
Once they get the bugs worked out in BIND 9+ i might have to look at it again.

For those of you that have Proxy type Firewalls this should be relatively easy for
you to set up if you have at least one *NIX type box on your internal LAN and
your vendor software is capable of supporting Reverse Proxy DNS requests.

I am not sure how this BIND problem effects Windows shops.
Those admins have enuff to worry about with still unpatched exploits in IIS
and other services so I hope that ports of BIND to Windows are ok, but I 
wouldn't bet my LAN on it.

Anyone out there have any other good BIND or other Security 
solution stories to share?

Jean Francois - JLF Sends...
President & CEO - MagusNet, Inc., MagusNet.com, MagusNet.Gilbert.AZ.US
MagusNet, Inc. - Design * Develop * Integrate
My Certifications: http://www.magusnet.com/resume.txt
Internet / Intranet Deployment, SQL Database Access for WWW,
Secure Offsite Data Storage, Disaster Recovery Planning and Management,
UNIX System Security, CGI & SQL programming, UNIX Training, Linux/BSD support,
Proxy/Filtering Firewalls, & UNIX System Administration.