[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: dns forwarding

To: luci-discuss@luci.org
Subject: Re: dns forwarding
From: Danny Sauer <sauer@cloudmaster.com>
Date: Mon, 09 Feb 2004 09:24:26 -0600
In-Reply-To: <1076190822.1166.22.camel@bitman.oviedo.smithconcepts.com>
Organization: Linux Users of Central Illinois
References: <40240066.8010904@cloudmaster.com> <20040206211647.GA26017@osiris.silug.org> <40241616.1050800@cloudmaster.com> <40251C3D.70904@users.sourceforge.net> <1076190822.1166.22.camel@bitman.oviedo.smithconcepts.com>
Reply-To: luci-discuss@luci.org
Sender: luci-discuss-owner@luci.org
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4

Bryan J. Smith wrote:
> Danny Sauer wrote:
> 
>>I'm not too worried about someone r00ting my 10.1.1.x name servers - but 
>>the point's well taken... ;)
> 
> 
> 70% of attacks are internal.
> 
> DNS servers are the best servers to gain access to.  You can have all
> sorts of fun with them on a LAN, unless the LAN is a fully Kerberosized
> network (which makes it more difficult because of the whole token 'thang
> even if the DNS servers are hacked).

Good advice in general.  To defend myself, though, since this is a 
public list: :)

There are 12 people on-site including me, and only a handful more 
off-site that have shell access.  I trust them all, but even without 
that trust there are only 2 who even know what a DNS server is, and the 
one who also knows what "chroot" is also used to be the sysadmin (now is 
the trusted backup admin).  My internal security concerns consist almost 
entirely of accidentally deleted files on the web server or local 
workstations.  My previous job was different (students will try the 
darnedest things), but I much prefer the lack of stress here. :)

That said, one DNS server is also the dial in server - which would get 
an intruder a modem, I guess.  The other DNS server runs on the database 
server, which might be fun in and of itself, but otherwise wouldn't 
provide anything useful.  The only accounts on those machines are root, 
me (with an empty home dir) and the daemon accounts.  They have LDAP 
access, but it does the "bind as the user" thing to auth, so they don't 
have any info on other networked machines other than the LDAP server, 
which is relatively secure.  There are no local logs - just the address 
of the remote log server.  They don't have compilers (or Perl/Python), 
either.  Lemme know if there's something fun that I've missed - but they 
sound pretty boring as far as "fun on the LAN" goes...  I'm running 
snort on a separate internal machine & the router's external interface, 
and I trust that it'd let me know if anything too weird was going on. 
Lemme know if there's something else that I'm missing, though.

My other private network is also running Bind 8 and Bind 4(!) 
internally, but my wife's the only other user there.  She knows I'll 
knock her silly if she hacks our darned DNS server. ;)

--Danny, who wouldn't actually hit his wife

-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.

References:
- dns forwarding
  - From: Danny Sauer <sauer@cloudmaster.com>
- Re: dns forwarding
  - From: Steven Pritchard <steve@silug.org>
- Re: dns forwarding
  - From: Danny Sauer <sauer@cloudmaster.com>
- Re: dns forwarding
  - From: mike808@users.sourceforge.net
- Re: dns forwarding
  - From: "Bryan J. Smith" <b.j.smith@ieee.org>

Prev by Date: Re: dns forwarding
Next by Date: Another Linux Distro: Linare
Prev by thread: Re: dns forwarding
Next by thread: Re: dns forwarding
Index(es):
- Date
- Thread