Re: Securing bind..

> [ The quoted email is dated last December... I hope nobody minds me > ] [ reviving the conversation. I'm catching up on a few mail > groups. ] > {Internal network}[firewall/gateway router]-+{Internet} > | >

Re: Securing bind..

On Wed, 6 Mar 2002 19:04, Karl M. Hegbloom wrote: > [ The quoted email is dated last December... I hope nobody minds me ] > [ reviving the conversation. I'm catching up on a few mail groups. ] OK, but I've trimmed the CC list. > > "Russell" == Russell Coker <[EMAIL PROTECTED]> writes: > >

Re: Securing bind..

[ The quoted email is dated last December... I hope nobody minds me ] [ reviving the conversation. I'm catching up on a few mail groups. ] > "Russell" == Russell Coker <[EMAIL PROTECTED]> writes: Russell> On Sun, 30 Dec 2001 16:17, Jor-el wrote: >> On Sun, 30 Dec 2001, Russell Coke

Re: Securing bind..

BIND should be treated with the utmost caution, as CERT has listed it as the #1 way to break into a computer and Im sure some of us have had k1dd13z on our systems because of it. I know I have seen this discussion before in old USENET posts, but I do think it would be a good idea to maybe incl

Re: Securing bind..

On Thu, Jan 03, 2002 at 03:34:32PM +0100, martin f krafft wrote: (...) > > but more importantly, if the question was how to secure bind, then let's > not secure it by substituting... bind is still the #1 nameserver, and a > thread like this (even though argued a million times) can be quite > infor

Re: Securing bind..

Hi Martin, On Thu, 3 Jan 2002, martin f krafft wrote: > i find this horrible. BIND zonefiles at least allow for usage of tabs to > organize your zone into tabular data. Everyone has their favourite wokrkign techniques. You like your tabular BIND zone files. I like my line-based djbdns data

Re: Securing bind..

Hi Craig, This BIND vs. djbdns thing has strayed off topic. It started with a Debian user asking for a solution to a problem. One of the answers given was that a solution could be achieved by using djbdns, which is packaged in the testing and unstable distributions of Debian. I suggested, and

Re: Securing bind..

also sprach P Prince <[EMAIL PROTECTED]> [2001.12.30.2314 +0100]: > I strongly *strongly* suggest that anyone considering setting up DNS, be it > BIND or djbdns, check out Daniel Bernstein's site on the subject, > http://cr.yp.to/djbdns.html or just subscribe to bind-users or bind9-users, where be

Re: Securing bind..

also sprach George Karaolides <[EMAIL PROTECTED]> [2002.01.02.1423 +0100]: > # Nameserver for my network addesses... > .my-network-in-reverse-order.in-addr.arpa:my-nameserver-ip-address:TTL > # ... and for addresses in my other network... > .my-other-network-in-reverse-order.in-addr.arpa:my-nameser

Re: Securing bind..

also sprach Russell Coker <[EMAIL PROTECTED]> [2001.12.30.2258 +0100]: > Perhaps a discussion of the relative merits of djbdns and bind is in > order. no, not on debian-user and not on debian-* either. djbdns might be fine software, but his author is a negative representative of the software indus

Re: Securing bind..

also sprach P Prince <[EMAIL PROTECTED]> [2001.12.30.1846 +0100]: > The eaisest and most failsafe way to secure bind is to install djbdns. you are kidding me, right? the question was how to secure bind. the asker wasn't in need of other religious beliefs. while i strongly believe that djb is a re

Re: Securing bind..

also sprach P Prince <[EMAIL PROTECTED]> [2001.12.31.0652 +0100]: > Perhaps, but BIND invented its own zonefiles too. What you fail to realize is > how bad BIND zone files suck. why? sure, you have to understand them, and discipline is needed to maintain one, but they are so much more powerful th

Re: Securing bind..

On Mon, Dec 31, 2001 at 12:52:23AM -0500, P Prince wrote: > > there are two major problems with all of bernstein's software. the > > first is that it requires you to throw away your existing > > configuration...no big deal for a caching only name-server or if you > > only have one or two domains t

Re: Securing bind..

On Wed, Jan 02, 2002 at 03:23:01PM +0200, George Karaolides wrote: > On Tue, 1 Jan 2002, Craig Sanders wrote: > > someday soon, someone's going to take the good ideas from djbdns, > > combine it with the good stuff from bind (including backwards > > compatibility with bind config & zonefile formats

Re: Securing bind..

Hi, On Tue, 1 Jan 2002, Craig Sanders wrote: > someday soon, someone's going to take the good ideas from djbdns, > combine it with the good stuff from bind (including backwards > compatibility with bind config & zonefile formats), add a few useful new > ideas (e.g. an "RXFR" protocol that embedd

Re: Securing bind..

On Tue, Jan 01, 2002 at 01:18:43PM +1100, Donovan Baarda wrote: > An interesting thing about djb is he does have knack for identifying > real problems with existing defacto standard software and re-inventing > it. he also reinvents things that don't have any significant problems, sometimes just be

Re: Securing bind..

On Mon, Dec 31, 2001 at 04:15:18AM +0100, jernej horvat wrote: > On Monday 31 December 2001 03:34, Michael D. Schleif wrote: > > > > > Because of that policy there are no precompiled packages of djbdns, because: > > "You may distribute a precompiled packag

Re: Securing bind..

* Craig Sanders ([EMAIL PROTECTED]) spake thusly: ... > > unfortunately, bernstein's software is severely limited by his views. > > he's a fairly good programmerbut a lousy systems administrator, with > no concept of how real world sysadmins use tools or how they automate > them. Did he fina

Re: Securing bind..

On Mon, 31 Dec 2001, Petre Daniel wrote: > thank you all very much. > you're right.if one doesn't have anything useful to say i'll recommand him > to let others help.. > thx guys. Hi Petre, Maybe the initial suggestion to use djbdns wasn't worded in the best possible way, but might I suggest t

Re: Securing bind..

On Mon, 31 Dec 2001 06:52, P Prince wrote: > > there are two major problems with all of bernstein's software. the > > first is that it requires you to throw away your existing > > configuration...no big deal for a caching only name-server or if you > > only have one or two domains to serve. a sev

Re: Securing bind..

On Mon, 31 Dec 2001 01:20, jernej horvat wrote: > On Sunday 30 December 2001 22:58, Russell Coker wrote: > > 2.4.x kernels support the --bind option to mount which avoids the syslogd > > yep. linux v2.4.x and bind v9.x are easier to set up. debian has almost > out-of-the box chroot solution. Are t

Re: Securing bind..

On Mon, 31 Dec 2001 05:31, Jor-el wrote: > > DNS cache machine sents out requests from source port 54 (not obscure - > > every administrator of every DNS server on the net can easily discover > > this). > > Not sure I follow what you are saying here. Are you saying that it > is pretty easy fo

Re: Securing bind..

Russell Coker wrote: > DNS cache machine sents out requests from source port 54 (not obscure - every > administrator of every DNS server on the net can easily discover this). > Recursive requests go to port 53 (getting a DNS client to even talk to > another port is difficult or impossible dependi

Re: Securing bind..

> This is crazy. Anytime you change software packages, you must > rewrite your configuration. And, if you or anyone you know manages > thousands of domains, I'll mail you a crisp, clean 20 dollar bill. > (In order to be eligible, you must provide the name of your > employer, so that I can avoid

Re: Securing bind..

This is well out of hand, and I've delt with it before, so this is my less mailing on teh subject. On Mon, 31 Dec 2001, Craig Sanders wrote: > On Sun, Dec 30, 2001 at 08:34:32PM -0600, Michael D. Schleif wrote: > > Craig Sanders wrote: > > > On Sun, Dec 30, 2001 at 07:31:30PM -0600, Michael D. Sc

Re: Securing bind..

> > jernej horvat wrote: > ``Zone transfers are an archaic alternative mechanism for copying > DNS information. Instead of immediately sending new data to the > slaves, you run a zone-transfer service that accepts periodic > connections from the slaves; your users complain while they're > waiting

Re: Securing bind..

Hey, On Mon, 31 Dec 2001, Craig Sanders wrote: > On Sun, Dec 30, 2001 at 07:31:30PM -0600, Michael D. Schleif wrote: > > ``By combining all these tools, you can finally approach the > > functionality of a trivial rsync script. Wow.'' > > > > Enough said . . . > > by throwing away all your existin

Re: Securing bind..

One phrase, sir: "WTF?!" You fail to make sense. -Tech On Sun, 30 Dec 2001, Michael D. Schleif wrote: > > jernej horvat wrote: > > > > [ snip ] > > > And this is what djb has to say for zone transfers :-) > > > > "Zone transfers are an archaic alternative mechanism for copying DNS > > informat

Re: Securing bind..

Russell, On Sun, 30 Dec 2001, Russell Coker wrote: > Please read my messages carefully before flaming me. Ack! My apologies. Poor reading and poor wording. > > DNS cache machine sents out requests from source port 54 (not obscure - every > administrator of every DNS server on the net

Re: Securing bind..

On Sun, Dec 30, 2001 at 08:34:32PM -0600, Michael D. Schleif wrote: > Craig Sanders wrote: > > On Sun, Dec 30, 2001 at 07:31:30PM -0600, Michael D. Schleif wrote: > > > ``By combining all these tools, you can finally approach the > > > functionality of a trivial rsync script. Wow.'' > > > > > > Eno

Re: Securing bind..

On Monday 31 December 2001 03:34, Michael D. Schleif wrote: > Because of that policy there are no precompiled packages of djbdns, because: "You may distribute a precompiled package if - installing your package produces exactly the same files, in exactl

Re: Securing bind..

On Sun, 30 Dec 2001, P Prince wrote: >The eaisest and most failsafe way to secure bind is to install djbdns. Because after djbdns, bind 4.2 looks like a pinnacle of security... >Google is your friend. Apparently it didn't get you a clue... >-Tech > >On Sun, 30 Dec 2001, Petre Daniel wrote: > >

Re: Securing bind..

Craig Sanders wrote: > > On Sun, Dec 30, 2001 at 07:31:30PM -0600, Michael D. Schleif wrote: > > ``By combining all these tools, you can finally approach the > > functionality of a trivial rsync script. Wow.'' > > > > Enough said . . . > > by throwing away all your existing zonefiles, DNS config

Re: Securing bind..

On Sun, Dec 30, 2001 at 07:31:30PM -0600, Michael D. Schleif wrote: > ``By combining all these tools, you can finally approach the > functionality of a trivial rsync script. Wow.'' > > Enough said . . . by throwing away all your existing zonefiles, DNS configuration, DNS tools and a bunch of feat

Re: Securing bind..

jernej horvat wrote: > > On Monday 31 December 2001 01:29, Michael D. Schleif wrote: > > <...> > > It is always amazing to me how *intelligent* people try to make their > > point by taking other people's words out of context . . . > <...> > > > http://cr.yp.to/djbdns/faq/axfrdns.html#what > i ad

Re: Securing bind..

On Monday 31 December 2001 01:29, Michael D. Schleif wrote: <...> > It is always amazing to me how *intelligent* people try to make their > point by taking other people's words out of context . . . <...> > > http://cr.yp.to/djbdns/faq/axfrdns.html#what i added the URL so i that everyone could look

Re: Securing bind..

jernej horvat wrote: > [ snip ] > And this is what djb has to say for zone transfers :-) > > "Zone transfers are an archaic alternative mechanism for copying DNS > information." > > http://cr.yp.to/djbdns/faq/axfrdns.html#what ``Zone transfers are an archaic alternative mechanism for copying

Re: Securing bind..

On Sunday 30 December 2001 22:58, Russell Coker wrote: > 2.4.x kernels support the --bind option to mount which avoids the syslogd yep. linux v2.4.x and bind v9.x are easier to set up. debian has almost out-of-the box chroot solution. > I disagree with the supposed security benefits of disabling

Re: Securing bind..

> Hello Nate,it seems i cant get the link of the advisory.Its about > some sort of amplyfing flood,when an ousider makes spoofed queries > to the bind daemon and another one ,the victim is flooded along > with me the attacked.. Thx.. if you do find it please pass it along to me, i am intereste

Re: Securing bind..

Hello, On Sun, 30 Dec 2001, Russell Coker wrote: > On Sun, 30 Dec 2001 22:02, jernej horvat wrote: > > On Sunday 30 December 2001 18:46, P Prince wrote: > > > The eaisest and most failsafe way to secure bind is to install djbdns. > > > > If you have nothing to say - do not speak. Heh, I didn't s

Re: Securing bind..

thank you all very much. you're right.if one doesn't have anything useful to say i'll recommand him to let others help.. thx guys. At 10:02 PM 12/30/01 +0100, jernej horvat wrote: On Sunday 30 December 2001 18:46, P Prince wrote: > The eaisest and most failsafe way to secure bind is to install

Re: Securing bind..

On Sun, 30 Dec 2001 22:02, jernej horvat wrote: > On Sunday 30 December 2001 18:46, P Prince wrote: > > The eaisest and most failsafe way to secure bind is to install djbdns. > > If you have nothing to say - do not speak. Perhaps a discussion of the relative merits of djbdns and bind is in order.

Re: Securing bind..

On Sun, 30 Dec 2001 16:17, Jor-el wrote: > On Sun, 30 Dec 2001, Russell Coker wrote: > > Also don't allow recursion from outside machines. > > Why does this help? When someone sends a recursive query to your server then they know (with a good degree of accuracy) what requests are going to be made

Re: Securing bind..

On Sunday 30 December 2001 18:46, P Prince wrote: > The eaisest and most failsafe way to secure bind is to install djbdns. If you have nothing to say - do not speak. -- Configuration options for BIND are listed on http://www.isc.org/products/BIND/docs/config/ List of URL that might be usefull i

Re: Securing bind..

On Sun, Dec 30, 2001 at 12:46:55PM -0500, P Prince wrote: > The eaisest and most failsafe way to secure bind is to install djbdns. Troll. > > Google is your friend. > > -Tech > > On Sun, 30 Dec 2001, Petre Daniel wrote: > > > Well,i know Karsten's on my back and all,but i have not much time t

Re: Securing bind..

Jor-el wrote: > > Another possibility is to have the port for outgoing connections be > > something > > other than 53 (54 seems unused) and use iptables or ipchains to block data > > from the outside world coming to port 53. [...] > Of course, in the case of DNS servers, you could be OK, s

Re: Securing bind..

The eaisest and most failsafe way to secure bind is to install djbdns. Google is your friend. -Tech On Sun, 30 Dec 2001, Petre Daniel wrote: > Well,i know Karsten's on my back and all,but i have not much time to > learn,and too many things to do at my firm,so i am asking if one of you has > any

Re: Securing bind..

Russell, On Sun, 30 Dec 2001, Russell Coker wrote: > > Also don't allow recursion from outside machines. Why does this help? > > Another possibility is to have the port for outgoing connections be something > other than 53 (54 seems unused) and use iptables or ipchains to block data > from

Re: Securing bind..

thankz a lot. Well the thing is,after i've read that advisory,2 days laterz my network was flooded,like the the traffic was very slow and nothing resolved anymore.. I noticed the stranged thing that the main ns/mailserver (bind 9.1)had difficulties resolving things around,even internally,so mail

Re: Securing bind..

hi ya petra lots of different kind of floods...and DoS attacks... what kind of attack are oyu under ??? -- what shows up in tcpdump when monitoring all traffic on the wire ??? if you're an "amplifier" .. you have to turn off icmp broadcasts at your incoming cisco router/fw to

Re: Securing bind..

Hello Nate,it seems i cant get the link of the advisory.Its about some sort of amplyfing flood,when an ousider makes spoofed queries to the bind daemon and another one ,the victim is flooded along with me the attacked.. Thx.. At 02:56 AM 12/30/01 -0800, nate wrote: > Well,i know Karsten's on m

Re: Securing bind..

On Sun, 30 Dec 2001 11:18, Petre Daniel wrote: > Well,i know Karsten's on my back and all,but i have not much time to > learn,and too many things to do at my firm,so i am asking if one of you has > any idea how can bind be protected against that DoS attack and if someone > has some good firewall fo

Re: Securing bind..

> Well,i know Karsten's on my back and all,but i have not much time > to learn,and too many things to do at my firm,so i am asking if > one of you has any idea how can bind be protected against that DoS > attack and if someone has some good firewall for a dns server ( > that resolves names for

Securing bind..

Well,i know Karsten's on my back and all,but i have not much time to learn,and too many things to do at my firm,so i am asking if one of you has any idea how can bind be protected against that DoS attack and if someone has some good firewall for a dns server ( that resolves names for internal c