SEO

I'm hoping that you may be able to help me with a debate I've been
having with a colleague of mine. He believes that by NOT configuring
the /etc/resolv.conf for DNS resolution, the AIX system has tighter
security, and less likely to get hacked. (Mind you that the AIX system
in question is behind a network firewall, and accessed only by the
local network). I, however, am debating with him that having the DNS
resolution active (by editing /etc/resolv.conf and having the line
"nameserver <ip address>" pointing to a valid DNS server) makes no
effect. Other than the obvious AIX to outside system access by
name, rather than ip address it neither loosens or tightens the
security for an outside system (either same LAN or outside internet
station) to gain access to the AIX system.

I appreciate all input and thought given on the above scenario. Any
questions, please ask for clarification.

Sincerely,

Michael R. James
dritzz721@verizon.net

Michael James wrote:
> I'm hoping that you may be able to help me with a debate I've been
> having with a colleague of mine. He believes that by NOT configuring
> the /etc/resolv.conf for DNS resolution, the AIX system has tighter
> security, and less likely to get hacked. (Mind you that the AIX system
> in question is behind a network firewall, and accessed only by the
> local network). I, however, am debating with him that having the DNS
> resolution active (by editing /etc/resolv.conf and having the line
> "nameserver <ip address>" pointing to a valid DNS server) makes no
> effect. Other than the obvious AIX to outside system access by
> name, rather than ip address it neither loosens or tightens the
> security for an outside system (either same LAN or outside internet
> station) to gain access to the AIX system.
>
> I appreciate all input and thought given on the above scenario. Any
> questions, please ask for clarification.

Enabling name resolution via DNS won't expose your
system directly, as opposed to e.g. running a world
accessible DNS server on the system. *But* you'll
be more susceptible to name based attacks, like DNS
spoofing, cache poisoning or even a taken over and
thus rogue DNS server. It's still common practice
at some places to rather maintain /etc/hosts files
- needless to say a tedious and error prone task -
than to risk a compromised system through malicious
DNS replies.

HTH & Regards,

Frank

On Thu, 03 Aug 2006 19:26:34 +0200, Frank Fegert
<fra.nospam.nk@gmx.de> wrote:

>Michael James wrote:
>> I'm hoping that you may be able to help me with a debate I've been
>> having with a colleague of mine. He believes that by NOT configuring
>> the /etc/resolv.conf for DNS resolution, the AIX system has tighter
>> security, and less likely to get hacked.
....
>Enabling name resolution via DNS won't expose your
>system directly, as opposed to e.g. running a world
>accessible DNS server on the system.
....

So, as usual, administration is easier if the security is lower. One
alternative is to set up your system to run its own name server and
perform zone transfers. This alleviates the adminsitrative burden,
possibly improves DNS resolution performance and limits your security
exposure to the zone transfer process.

There are a number of things you can do to improve security of the
configuration:

Restricting zone transfers

Restrict zone transfers using the allow-transfer option. By
restricting zone transfers you ensure that the only information
available to people is that which they ask for directly - no one can
just ask for all the details about your set-up.

Protecting against spoofing

Firstly, disable any queries for domains you don't own, except from
your internal/local machines. This not only helps prevent malicious
use of your DNS server, but also reduces unnecessary use of your
server. In this case, you'll need to allow all queries from the local
host.

Further, disable recursive queries )allow-recursion) except from
internal/local sources. This reduces the risk of cache poisoning
attacks (where false data is fed to your server).

Running named as non-root

It is a good idea to run named as a user other than root, so that if
it is compromised the privileges gained by the cracker are as limited
as possible. You first have to create a user and group for named to
run under, and then modify whatever init script you use that starts
named. Pass the new username and group to named using the -u and -g
flags.



-- David

David Luner wrote:
> On Thu, 03 Aug 2006 19:26:34 +0200, Frank Fegert
> <fra.nospam.nk@gmx.de> wrote:
>
>
>>Michael James wrote:
>>
>>>I'm hoping that you may be able to help me with a debate I've been
>>>having with a colleague of mine. He believes that by NOT configuring
>>>the /etc/resolv.conf for DNS resolution, the AIX system has tighter
>>>security, and less likely to get hacked.
>
> ...
>
>>Enabling name resolution via DNS won't expose your
>>system directly, as opposed to e.g. running a world
>>accessible DNS server on the system.
>
> ...
>
> So, as usual, administration is easier if the security is lower. One
> alternative is to set up your system to run its own name server and
> perform zone transfers. This alleviates the adminsitrative burden,
> possibly improves DNS resolution performance and limits your security
> exposure to the zone transfer process.

And how does that improve security, i wonder? The zone
transfer doesn't come out of thin air. So you're still
exposed to the risk, that your or your providers name
server, which participates as a master in the zone
transfer, sends malicious data to the slave name server
running locally.
I've actually seen this several times. The nameservers
are not secured at all. Every host in the company de-
pends on them, even machines in the DMZs. They never
get a downtime to update the name server software and
are running something horrible as 4.x versions of BIND
or even worse ...

Regards,

Frank

On 2006-08-03, Michael James <dritzz721@verizon.net> wrote:

> I'm hoping that you may be able to help me with a debate I've been
> having with a colleague of mine. He believes that by NOT configuring
> the /etc/resolv.conf for DNS resolution, the AIX system has tighter
> security, and less likely to get hacked.

This is true. In fact, this has already caused a problem back in 2002.
A bug in the BIND resolver (also used on AIX, if I remember correctly) was
remotely exploitable. (See http://cr.yp.to/djbdns/res-disaster.html)

Having a firewall didn't help: when you had a nameserver in
/etc/resolv.conf that had access to outside data (perhaps not even directly),
you were vulnerable.

--
Jurjen Oskam

Savage's Law of Expediency:
You want it bad, you'll get it bad.

Frank Fegert wrote:
> David Luner wrote:
>> On Thu, 03 Aug 2006 19:26:34 +0200, Frank Fegert
>> <fra.nospam.nk@gmx.de> wrote:
>>
>>
>>> Michael James wrote:
>>>
>>>> I'm hoping that you may be able to help me with a debate I've been
>>>> having with a colleague of mine. He believes that by NOT configuring
>>>> the /etc/resolv.conf for DNS resolution, the AIX system has tighter
>>>> security, and less likely to get hacked.
>> ...
>>
>>> Enabling name resolution via DNS won't expose your
>>> system directly, as opposed to e.g. running a world
>>> accessible DNS server on the system.
>> ...
>>
>> So, as usual, administration is easier if the security is lower. One
>> alternative is to set up your system to run its own name server and
>> perform zone transfers. This alleviates the adminsitrative burden,
>> possibly improves DNS resolution performance and limits your security
>> exposure to the zone transfer process.
>
> And how does that improve security, i wonder? The zone
> transfer doesn't come out of thin air. So you're still
> exposed to the risk, that your or your providers name
> server, which participates as a master in the zone
> transfer, sends malicious data to the slave name server
> running locally.

Bind allows you to encrypt the transfer.

> I've actually seen this several times. The nameservers
> are not secured at all. Every host in the company de-
> pends on them, even machines in the DMZs. They never
> get a downtime to update the name server software and
> are running something horrible as 4.x versions of BIND
> or even worse ...

That's a management issue and not a technical one.