[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] DNS problem - please help! {Scanned}

Hmm...

SW wrote:
<log message snipped>


--------------
The denied query above are due to adding the allow-query directive in
/etc/named.conf:

options {
        directory "/etc/named";
        allow-recursion { xxx.xxx.xxx.xx/27; localhost; };
        allow-query { xxx.xxx.xxx.xx/27; localhost; };
        version "WPPi Name Server - NA";
        allow-transfer { xxx.xxx.xxx.xx; };
-----------
xxx.xxx.xxx.xx a bove is our ip block
----------
We added the allow-query option after running a security check which
recommened we add 'allow-recursion' and 'allow-query' to bind to prevent
various vulabilities. But I thought these changes will still allow users to
get dns info for mail and httpd info, etc.


Well, the thing is, your named seems to be running fine, but the
problem is obvious (or so I think). You've allowed only your own
IPs to query your DNS server. That's fine if you are doing it
in a closed environment, but if you do not allow the rest of the
world to query your DNS server... I guess the consequences are
pretty clear :)

Maybe the vulnerability should have been a problem of allowing
anybody to conduct a "zone transfer" from your DNS server. Denying
the rest of the world from ever querying your DNS is good for
security (just like plugging the network out), but it defeats the purpose of having a DNS? Your vulnerability analyst seems to be pretty 
paranoid, but the Cobalt was never meant for a highly security
conscious environment in the first place.

My suggestion is to keep the "allow-transfer" line as it is, and
to remove the "allow-recursion" and "allow-query" lines. I hope you
know what you are doing when you added those two lines in the first
place. :)


Regards.