DNS Server Survey Reveals Mixed Security Picture 109
Kurtz'sKompund writes in with word on the latest annual survey of the state of DNS on the Net. The survey, commissioned by infrastructure appliance vendor Infoblox, found that the use of Windows DNS Server in Internet-facing applications has fallen off dramatically as more users act on concerns about security. BIND 9, the latest version, gained against earlier, less secure versions. But in other dimensions, DNS practices showed little improvement from a security point of view. Hardly anyone is using DNSSEC; and 31% of nameservers allow promiscuous zone transfers, a number little changed from last year. Here's a video of an interview with Infoblox's chief architect Cricket Liu on the state of DNS.
I hate video without transcripts (Score:2, Interesting)
Security? It's quite simple (Score:5, Informative)
2) Put restrictions on recursive queries.
3) Lock down box.
4) Profit.
Re:Security? It's quite simple (Score:4, Funny)
Re: (Score:1)
BIND's crime is of being yet another piece of open-source software trying to become its own operating system with extremely verbose, anal-retentive configs.
It's nice to have extensive configurability for those unique situations, but sometimes you just want a frickin' DNS lookup. "somename.com = a.b.c.d" and be done with it. The problem is most open-source apps aren't designed to be usable, they're designed to be "geek cool" and to somehow distance us sysadmins from the '
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
That's why it's super-cool to run TWO separate DNS servers, so a quick reboot of each one in turn to apply updates won't really be noticed by anyone who had the foresight to define both servers on their client machines.
Re: (Score:2)
Djbdns is a smaller much simpler DNS server with a simple config syntax (and simple
Powerdns has a smaller featureset, but lets you serve dns records from an sql database and some other neat stuff
There was also an ultra simple dns server i saw which simply used a file format like
Bind's configs are perhaps more awkward than they need to be, but there are also several frontends to bind that can s
Re: (Score:2)
Re: (Score:1)
With my respectable knowledge of DNS, I still declare BIND to be overcomplicated and in need of a redesign. Much like all the other big Linux apps, it consists of immensely useful functionality wrapped in a baroque layer of crud. How can someone spend so much effort writing an excellent feature set, then hide it away beneath poorly-documented interfaces that even the developers don't consistently understand ? It's a cop-out.
Re: (Score:1)
This is just unfathomable to me. You're talking about open source software there.
Re:Security? It's quite simple (Score:5, Funny)
Re: (Score:1)
Its a terrorist!
Re: (Score:1, Funny)
Re: (Score:2)
Re: (Score:1)
Hypotheses != data (Score:3, Insightful)
The HYPOTHESIS is that this is motivated by security concerns.
Conflating the two, as the summary does, is frankly retarded and exceptionally bad practice.
Re: (Score:3, Interesting)
But what is also important to consider is what requirements a given dns server has and assuming that there will be vulnerabilities in the dns implementation, what you can do to mitigate it.
Windows DNS requires RPC (which was the cause of the vulnerability as you point out) and requires many other default windows components, many of which are difficult/impossible to remove and have
Re: (Score:2)
But going purely on vulnerabilities, we should probably all be running djbdns.
No way. djbdns doesn't even support IXFR, so instead of configuring a TSIG key for your master and slave servers and being done with it, you instead have to roll your own secure incremental filecopy implementation. Maybe you didn't want to run sshd or rsyncd on your slaves. Doesn't matter - now you have to because djbdns can't be bothered to handle it for you.
So, is djbdns more secure than BIND9 in the functionality it actually provides? Maybe. But if you want to actually use it, you have to set up
Re: (Score:1)
Re: (Score:2)
How many DNS servers lack SSH set up for unattended connections to remote servers, either by using password authentication, passwordless RSA keys, or ssh-agent? Hopefully all of them. Well, except for the ones running djbdns.
Re: (Score:1)
How many DNS servers lack SSH set up for unattended connections to remote servers, either by using password authentication, passwordless RSA keys, or ssh-agent? Hopefully all of them.
SSH supports binding a key to a command in .ssh/authorized_keys. Also supports IP matching too.
Well, except for the ones running djbdns.
Looks like you can get djbdns to do AXFR, too.
Re: (Score:3, Informative)
I was soliciting input from people who know what they are talking about, not from today's lets-bash-x crowd.
I don't like djbdns - I've never tried to hide that - but these are factual, documented problems and not just something I'm inventing to bash on it.
SSH supports binding a key to a command in .ssh/authorized_keys. Also supports IP matching too.
But again, you the sysadmin have to set this up correctly on every machine you touch. If you're configuring BIND9 and TSIG and screw up, then the worst case scenario is that that it's buggy or you screw it up and an attacker can fiddle with your DNS data. If you're configure djbdns + SSH, then the worst case scenario is that sshd or tcpwrappers has a bug
Re: (Score:1)
If you're configuring BIND9 and TSIG and screw up, then the worst case scenario is that that it's buggy or you screw it up and an attacker can fiddle with your DNS data. If you're configure djbdns + SSH, then the worst case scenario is that sshd or tcpwrappers has a bug or you screw it up and that gives attackers access to your entire host, including the DNS data.
Actually, both scenarios lead to the same worst case: potential root access. With both BIND and djbdns -- or pretty much any program that binds to a well-known port -- you are at the mercy of that process switching to the correct set of privileges.
Of course, djbdns could come with some special scripts to implement well-tested solutions.
IXFR (incremental transfer) is for when you have 10,000 dynamic DNS clients making changes to your zone file, and you need to propagate those changes to your slaves in realtime. Ideally, this won't require sending the whole zone file each time or wiring a trigger to fire off rsync every time an update is made. This is used very commonly in corporate setups where DHCP gives out IPs and hostnames to clients, or at least that's how we use it in conjunction with Active Directory.
The Windows admins I've encountered are hopeless when it comes to DNS (blaming every strange issue they encounter on DNS, for example). Best current practice over here is t
Re: (Score:2)
Of course, djbdns could come with some special scripts to implement well-tested solutions.
Won't happen. djbdns is proprietary and hasn't been updated since 2001-02-11, so the best you can hope for is a generally agreed upon best practice.
The Windows admins I've encountered are hopeless when it comes to DNS (blaming every strange issue they encounter on DNS, for example). Best current practice over here is to never have Active Directory and public DNS interact.
We isolate the two by creating a zone for AD to screw around with. The company has example.com, and AD controls lan.example.com. Nothing "important" is inside that subdomain so if it breaks horribly we can still get work done.
In that case, djbdns would be a good solution. Are you suggesting that we switch to BIND?
No. I am suggesting that you research djbdns's criticisms, though. For starters, it's not F/OSS so expect a fair amount of in
Re: (Score:3, Interesting)
This is a very true statement. As a pretty much clueless when it comes to DNS Windows admin I would never try to host internet facing DNS with Windows DNS. What I d
Re: (Score:1)
Looks like that ideal went out the window:
Re: (Score:1)
What I do is setup all of the AD domains with .local and use forwarders that point to real DNS servers to resolve anything that isn't on the local network. Like everything else Microsoft related, the MS version of the technology is there to let the MS boxes talk to each other. When you want your boxes to go play in the real world, it is best to hand that responsibility over to something running *nix.
That is precisely what we did, right down to using .local. To be fair to the Windows guys, I am not all that familiar with Active Directory and other critical Windows networking systems. I keep to the Unix systems, they keep to the Windows systems. Works wonderfully.
Re: (Score:2)
In this day and age, a good IT team needs a bunch of competent people. T
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
This is a very true statement. As a pretty much clueless when it comes to DNS Windows admin I would never try to host internet facing DNS with Windows DNS. What I do is setup all of the AD domains with
Re: (Score:2)
And how does your DNS work? What is your DNS? Does it support Active Directory domain controllers and automatic zone updates from Windows DHCP servers?
Re: (Score:2)
Yes number of exploits is a flawed metric, i was simply responding to the poster.
I then pointed out that other things mattered too, like what else runs on the dns server box, and how you can mitigate the damage a vulnerability could cause.
Dynamic dns clients are not a good idea, l
Re: (Score:2)
Well sure djbdns is not perfect for all scenarios, i never said it was
Noted and I see what you're saying.
Dynamic dns clients are not a good idea, letting your dhcp clients set arbitrary dns records is a horrible thing to do...
Why? In BIND9 you can write rules like "the client with this TSIG key can change this set of values". Saying that DDNS isn't good if left wide open is like saying that SMTP isn't good because of open relays. When done right, DDNS and SMTP can both be useful. :-)
As for having to use rsync/ssh, is that really necessary?
If you're doing pull-only, then DDNS moves from "maybe not a good idea" to "pretty much impossible". Also, even in the case of an SSL-ized HTTP server (which is a clever idea, BTW), that still means tha
Re: (Score:2)
When i used djbdns i used HTTPS, with the data file downloaded every day... It worked on 2 stages, first downloaded a timestamp file, compared it to its locally stored timestamp and if it was different, download the full (much larger) dns datafile.
There's also no reason the HTTPS server needs to be a DNS server, it could be a completely seperate machine a
Re: (Score:2)
I don't know the guy, don't have anything against him, and wouldn't recognize him if he walked up and bit me. It's just that every time DNS, SMTP, or NTP comes up, a legion of DJB fanbois appears and rants at everyone who doesn't love his software. Maybe DJB is fine; I just can't stand his followers.
Re: (Score:2)
DNSSEC is dead, let's move on (Score:5, Informative)
Until registrars figure out how to securely regsister and manage keys, DNSSEC is DoA
Until zone managers start signing zones, DNSSEC won't achieve critical mass
Without critical mass, uneven DNSSEC deployment has no value
Without stub resolver support, DNSSEC is meaningless
Until all the above happen, there is no business case for DNSSEC and TLD owners won't deploy it.
Re: (Score:2, Informative)
Implementation of DNSSEC would essentially make all zone transfers promiscuous. I think that's probably the biggest reason why there's been so much resistance to it.
Re: (Score:2)
Re: (Score:2, Informative)
You can read their motivations here [cr.yp.to] and here [ds9a.nl].
Re: (Score:2)
Re: (Score:2, Interesting)
DNSSEC is a mess and provides little value. (Score:2)
There are few problems DNSSEC solves that SSL/TLS won't do a far better job solving. SSL/TLS deployment is almost universal. With the vast effort we've spent fighting over how to secure a tiny portion of the Internet protocol stack, we could instead have come up with a way to make verifiable SSL certificates free and easily acquired. I wrote about this at length [matasano.com] earlier this year.
Furthermore, DNSSEC is a mess. It has taken over ten years to come up with a protocol that a plurality of operators will agree t
Re: (Score:2)
DNSSEC deployment is already happenening on Large Scale [xelerance.com].
djdns refuses to fix his code to protect against OS errors as "not his job". That makes that DNS software pretty useless.
powerdns is fuly mysql driven, and uses a record, not a zonefile as their basic unit. DNSSEC will break that. That's why they do not like it.
People say things will break, but things are broken already. If someone has a better fix, please step forward. Whining and doing nothing is no
From the local LDAP Finatic (Score:2)
This is a failing of Bind.
Re: (Score:3, Informative)
Re: (Score:2)
Re: (Score:1)
Promiscuous zone transfers - just say no (Score:3, Informative)
If you're server is handing out zones to anyone and everyone, you might want to check you're not offering recursion to everyone as well (see allow-recursion {}; ). http://www.oreilly.com/catalog/dns4/chapter/ch11.html [oreilly.com].
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Insightful)
And whatever else there is to say about it, it's still nothing but security by obscurity. Most burgla
Re: (Score:2)
By the way, security through obscurity does work. It just shouldn't be relied on as your only defence. (e.g. changing your SSH port to other than 22/tcp will cut down on the number of people trying to brute-force their way in. I do this *as well as* insisting on
Re: (Score:2)
The 1-6 thing is a red herring... They can still be found with a ping-scan, or similar.
I don't think anybody here was advocating allowing a zone transfer for your internal addresses. That is a bad idea, as the only thing it accomplishes is making it easier for an
Re: (Score:2)
So the obscurity could be usefull, sometimes, a little bit. If your fin-vms1 is not reachable from the outside world in the first place, why does it matter if someone knows about it? And by the time it does matter, e.g.
Re: (Score:3, Insightful)
I say disable it, because a) Cricket Liu says so, and he knows what he's talking about, and b) because it's one of the first things I do when I'm performing a pen-test. There's often a heap of useful (to an attacker) info in there, that can be turned off with two minutes of your time as an admin.
Re: (Score:2)
In the future IPv6 will be more common, and addresses are assigned based on the mac address so sequential IP scanning will become worthless.
But sure your right that kiddies and worms just scan large ipblocks not caring about dns...
Re: (Score:2)
(And not everyone has one contiguous IP block - so the attacker has to find them all to start with.)
Re: (Score:2)
Search for the company name, assuming all the blocks are registered to the same company...
Look at the routes being advertised by your AS number...
Re: (Score:3, Insightful)
And whatever else there is to say about it, it's still nothing but security by obscurity. Most burglars don't know where I live, do you really believe that significantly lowers the risk someone breaks into my house?
Allowing promiscuous zone transfers is more akin to posting the layout of your house on your front door, possibly including which picture the safe is behind. You're right that it doesn't really reduce or increase your chances of being victimized, but if you get chosen by the bad guys, why hand them a map? There's nothing wrong with security through obscurity, as long as its not your only means of defense. In any case, it's not like it's terribly difficult to secure BIND to allow transfers to authorized
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
If an attacker's already inside, I've got bigger concerns.
Re: (Score:2)
Re: (Score:2)
Could it be used to do a DDoS? Or take out your DNS server due to the load?
(It's been too long since I read all the reasons as to why to disable full zone transfers.)
Re: (Score:2)
I doubt performing a single zone transfer request will be more taxing on your systems than performing a scan of your entire address space, and reverse resolving each active IP that was found. Zone transfers are carried out over TCP, which involve one socket connection. But you could DDoS any host whether it runs a DNS server.
I think the proscription against open zone transfers dates back to the bad old days when BIND was called the
DIY (Score:1)
them. Or create a forum where they can all participate and ask them to join. Otherwise it won't get changed until there's a large worm outbreak that uses the vulnerability.
Re: (Score:1)
Re: (Score:2)
Cricket Liu (Score:5, Informative)
What I also like about Cricket Liu (and Paul Albitz) is that they explain the domain name system really well in an understandable way.
Good timing... (Score:2)
Pretty poor redundancy - goes to show you can't even trust the big players to get it right, and probably should run your own nameservers within your domains too, just in case...
Re: (Score:3, Informative)
Re: (Score:2)
And they're a free DNS provider that gets huge DDoS attacks.
A good example of "begging the question" (Score:1, Interesting)
Re: (Score:1)
I think from a security perspective the problem isn't Windows DNS, it's the fact that it runs on Windows, with all the baggage that entails. Reality is this "survey" seems to extrapolate that people are for some reason switching away from windows DNS for security. Out of the millions of reaso
which BIND do you mean? (Score:1)
How do I know? (Score:3, Interesting)
I would like to run some checks against my domain and see if any of this applies to me. Can anyone recommend sites, utilities or linux commands to test it?
Would have been nice to include this info in the 'article' or even the summary, instead of just saying how un-secure everything is. Again.
Thanks.
Re: (Score:1)
Though the site itself has gotten a lot more commercial than it once was the DNS report tool gives some nifty info. Other than that you'll be wanting to investigate `dig' (IIRC) and trying some various interesting commands.
Re: (Score:1)
Re: (Score:1)
http://www.infoblox.com/services/dns_advisor.cfm [infoblox.com]
Re: (Score:1)
http://www.infoblox.com/services/dns_advisor.cfm [infoblox.com]
MyDNS owns (Score:2)
They solve the recursion problem by not supporting it; it is only for the master.
Use djbdns, watch your security problems vanish (Score:1)
I sat down last week and installed djbdns. I thought it would be a big hairy project, like learning BIND was. Back in the day, before Slashdot existed, I used Cricket's book on BIND. Good book, but BIND is finicky and the book is THICK.
Anyhow, in a couple hours I had djbdns installed and working. I had to keep checking. I couldn't believe it was that easy. But it was. djbdns doesn't allow recursive queries or zone transfers by default. djbdns has privilege separation, just like qmail. The config
But... but... but... (Score:2)
Makes sense to me (Score:1)
Why are we talking about DNSSEC? (Score:2)
Hand-waving "security" theatre (Score:2)
But in other dimensions, DNS practices showed little improvement from a security point of view. Hardly anyone is using DNSSEC; and 31% of nameservers allow promiscuous zone transfers, a number little changed from last year.
Internet-visible DNSSEC improves security how, exactly, if the top-level domains don't support it?
Oh, and some of us allow "promiscuous zone transfers" because the only information we make publicly available in the DNS is information that is, you know, public.
Good security involves making sure that legitimate users don't get a false sense of security. One way to do that is to avoid providing features that look like they provide strong confidentiality or integrity without actually doing so.