LINUX SECURITY --- October 10, 2000 Published by ITworld.com, the IT problem-solving network http://www.itworld.com/newsletters ********************************************************************* HIGHLIGHTS * Securing Berkeley Internet Name Domain ********************************************************************* Securing BIND By Rick Johnson BIND (Berkeley Internet Name Domain) is by far the most popular implementation of the DNS protocols and one of the single most important components of the Internet. Without the developments of the Internet Software Consortium, DNS as we know it would not be the same. Unfortunately, BIND 8 has had its share of security problems. The most notorious of which was the NXT record exploit. Some of us still get the chills when we hear ADMROCKS. Due to some of these problems, the next version was designed to be far more secure. BIND version 9 is a major rewrite of nearly all aspects of the underlying BIND architecture. It was designed to run without privileges and in a chroot environment. For those who are unsure about upgrading to the latest version, there is still hope. First, verify that you are running BIND Version 8.2.2 patchlevel 5. If not, upgrade immediately and check the server for a compromise. The potential damage of a BIND 8 exploit can be decreased dramatically by running it in a chroot environment and as a non-root user. For details please read the chroot HOWTO (http://www.linux.org/docs/ldp/howto/Chroot-BIND-HOWTO.html). If you are daring enough to upgrade, BIND 9 now supports DNSSEC signed zones, and TSIG (HMAC-MD5) signed DNS requests. It is capable of acting as an authoritative server for DNSSEC secured zones. This functionality is believed to be stable and complete except for lacking support for wildcard records in secure zones. When acting as a caching server, it can be configured to perform DNSSEC secure resolution on behalf of its clients. This part of the DNSSEC implementation is still considered experimental and should be used with caution. For more information on DNSSEC please visit (http://www.ietf.org/html.charters/dnssec-charter.html). Also included is support for multiple "views" of the DNS namespace. The benefit of this feature is to allow the use of one combined zone file for both internal and external clients while allowing each to only see specific entries. This way you can avoid the embarrassment of external queries revealing your internal IP addressing scheme. The latest release of BIND does have a few bugs and certain features are not quite ready for prime time, but it is worth a look. Unless you require the functionality of the new features, I would recommend waiting for implementation until some of these issues are resolved. The latest version of BIND may be obtained from ftp://ftp.isc.org/isc/bind9/9.0.0/bind-9.0.0.tar.gz About the author ---------------- Rick Johnson is currently the Manager of Security Services for FusionStorm, a remote managed services company. When not writing, he heads the development team for PMFirewall, an Ipchains Firewall and Masquerading Configuration Utility for Linux. Rick can be contacted via email at rick@pointman.org or on the web at http://www.pointman.org. *********************************************************************
<<attachment: winmail.dat>>