Re: the call for bind software

[Brad Knowles <brad.knowles@skynet.be>]

At 4:04 PM +0700 2002/10/15, Robert Elz wrote:

>  That's what I mean by a management nightmare.   More and more places
>  that have to be updated when addressing changes.   We need to be moving
>  towards less of these, not more of them.

	Then you need to be simplifying your network.  Nothing in the 
world is ever going to protect you from needing to know what is 
"local" and what is not.  There are far more applications that depend 
on knowing what is "local" than just BIND.

>  But, once again, this has nothing at all to do with network security
>  (with the side issue perhaps of avoiding overloading, and for that
>  a firewall is a much better idea than having the server receive all the
>  packets and then discard them).

	Belt & suspenders.  Go ahead and do the firewall, but don't 
depend on it.  Configure the nameserver so as to be secure in the 
absence of the firewall, because sooner or later people are going to 
find a way to get around the firewall.

>  Don't try and frighten people by telling them that you're doing this
>  to protect them from something, because you aren't.

	Yes, I am.  You may choose to believe what you like.

>  You'd be much better off getting them to split the cache form the
>  server, which you're also suggesting, and just forgetting this other part.

	Okay, then let's do this by default -- caching & authoritative 
services are mutually exclusive, unless you know the magic 
incantation to get them both running in the same BIND instance.

	We can add the other part later.

>  Even there, the difference is minor.   You're concerned about allowing
>  some nodes to generate the query that causes the pollution, while
>  preventing others.   That's not very effective.

	No, my method is not 100000% fool-proof.  It is possible to work 
around it.  However, it does make things more difficult for them, and 
increases the probability that I will have something somewhere in 
some of the logs that might give me a hint as to where a particular 
attack may have come from.

>  no, it gives the appearance of being better than nothing, while not
>  actually being better at all.   That makes it worse.

	Again, we're talking about improving the state of affairs for the 
whole Internet, not just a particular local network.

	Or are you of the opinion that there is no purpose in doing RFC 
1918 address filtering at your egress routers?

>  But people don't figure things out - not most of them.  They follow
>  recipes.  They just do what someone (or some web site) says they should
>  do, without thinking a lot about what is happening, or why.

	No, they typically blindly take whatever the vendor gives them. 
If we can do our best to make sure that what the vendor will give 
them is more secure, then most of them will probably actually be more 
secure.

	A relatively small portion may attempt to blindly apply some 
recipe given to them by someone else, out of ignorance.  IMO, they 
get what they deserve if they're going to go mucking about with 
things -- they should either leave them alone, or make sure they get 
them right.

>  Again, no, there would be a set of "common" configurations, or
>  "sample configurations" that people just copy.   If none of the
>  ones distributed by ISC (or anyone else distributing bind) work
>  for them, they will find one from elsewhere that does.

	I believe that BIND already includes a variety of configuration 
samples, and this could easily be expanded.

>  And I assure you "enable this option to allow bind to serve queries
>  for your network" is much easier to explain, and much easier to do
>  correctly, than "find out all your local network prefixes and add
>  them in allow statements"

	But that's not what would happen for most people.  Only a 
relatively small group of people would have a problem whereby the 
automatic interface/netmask scanning would fail to appropriately set 
the list of "local" networks.  They are the only edge condition that 
we have to worry about.

-- 
Brad Knowles, <brad.knowles@skynet.be>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
     -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w---
O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
#----------------------------------------------------------------------
# To unsubscripbe, send a message to <dnsop-request@cafax.se>.