[Dshield] BIND patches

Johannes Ullrich jullrich at euclidian.com
Thu Nov 14 14:14:28 GMT 2002

> My setup is: BIND 9.2.1, acting only as a caching name server. I have
> set up named to accept queries from localhost only, and my firewall only
> accepts UDP traffic from port 53 to any port if it comes from any of the
> two nameservers of my ISP, and UDP traffic from port 53 from any site as
> long as it is directed to port 53. TCP traffic to port 53 is blocked,
> period. named is running as user 'named'.

The setup is reasonable (other than that you may want to consider
chrooting). If you use iptables or another statefull firewall, you could
try and setup only outbound connections to your ISPs name servers. I am
not sure if this vulnerability could be exploited with UDP, but if it 
thats the case, the source of the exploit packet could be spoofed.
> Is the above setup reasonable? Using BIND for caching purposes only is
> probably overkill; should I consider an alternative NS? Anyone out there
> has any experience with this?

I am using BIND... haven't used anything else so far. But there is
djbdns ( http://djbdns.com/ ) from the guy that wrote qmail. I do use
qmail but am not a big fan of it.

I think there are a couple of minimal DNS servers that do just caching.
See freshmeat.net for a list.

jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20021114/0c2e7780/attachment.bin

More information about the list mailing list