From owner-freebsd-security@FreeBSD.ORG Fri Jul 11 17:44:54 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5D8941065679 for ; Fri, 11 Jul 2008 17:44:54 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx23.fluidhosting.com [204.14.89.6]) by mx1.freebsd.org (Postfix) with ESMTP id D01B18FC1A for ; Fri, 11 Jul 2008 17:44:53 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 15431 invoked by uid 399); 11 Jul 2008 17:44:53 -0000 Received: from localhost (HELO ?192.168.0.18?) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 11 Jul 2008 17:44:53 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <48779C0E.2020807@FreeBSD.org> Date: Fri, 11 Jul 2008 10:44:46 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: Jeremy Chadwick References: <20080709204114.471A2F1835D@mx.npubs.com> <4876A3FE.1070407@FreeBSD.org> <200807111454.IAA18639@lariat.net> <20080711151228.GA52385@eos.sc1.parodius.com> <487782C5.7050703@clegg.com> <20080711162913.GA55187@eos.sc1.parodius.com> In-Reply-To: <20080711162913.GA55187@eos.sc1.parodius.com> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "freebsd-security@freebsd.org" , Remko Lodder , secteam@freebsd.org Subject: Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2008 17:44:54 -0000 Jeremy Chadwick wrote: > The problem here is WRT network ACLs. The only solution is to bind BIND > to a specific IP address and permit any outbound TCP or UDP traffic + > any inbound TCP or UDP traffic to port 53. Not quite any inbound traffic, named will pick a source port > 1024. In the current beta versions there is an option to restrict the ports chosen to a range. I'm also not quite sure what kind of server you're talking about here. If it's authoritative, then by definition you have to allow all inbound traffic to port 53. > Most network administrators > I know of won't like that, as they deny all incoming *and* outgoing > traffic, then apply permit ACLs. There's no "clean" or "strict" permit > ACL, while with port XX, you can at least narrow down things UDP-wise a > bit more. False economy. The "danger" of allowing inbound UDP traffic is infinitely less than the danger of having a recursive resolver's cache poisoned. The new way of things would be to define those UDP ports that run services other than named on the system, add those to the avoid-* option(s) in named.conf, and block those ports at the firewall, leaving everything else open. Of course, almost any modern firewall should have keep-state functionality for UDP, so all of this should be moot. > I'll add that the stock src/etc/namedb/named.conf even advocates the use > of query-source ... It doesn't advocate, it gives an example. This is the reason I am resistant to adding too many examples to our installed named.conf, it is too easy for people to misinterpret them. Doug -- This .signature sanitized for your protection