| 1 |
On 16/12/2015 11:09, Tom H wrote: |
| 2 |
> On Wed, Dec 16, 2015 at 4:01 AM, Adam Carter <adamcarter3@×××××.com> wrote: |
| 3 |
>>> |
| 4 |
>>> There are several problems with your idea. First, the configured |
| 5 |
>>> |
| 6 |
>>> namservers in resolv.conf are caching servers, not authoritative |
| 7 |
>>> servers. You never configure an auth server to act as a cache. Yes, it |
| 8 |
>>> can be done. No, it's an awful idea and things break horribly. |
| 9 |
>> |
| 10 |
>> What breaks if you have caching and auth on the same server? I have been |
| 11 |
>> running my tiny home network this way for years. The local domain is |
| 12 |
>> properly delegated, but if you just wont a local domain that's not |
| 13 |
>> necessary. |
| 14 |
> |
| 15 |
> The ISC recommends separating authoritative and caching bind servers. |
| 16 |
> |
| 17 |
> The main reason that I can think of is that someone can poison the |
| 18 |
> cache of the domains for which a server's authoritative. |
| 19 |
> |
| 20 |
|
| 21 |
|
| 22 |
If I were a serious Cyber Kriminal, here's the avenue I'd be looking for: |
| 23 |
|
| 24 |
Find some vendor of low or medium end equipment (some, small business |
| 25 |
kit) that "helpfully" provides a combined DNS cache and auth server on |
| 26 |
the border router and just as helpfully announces this to the internal |
| 27 |
network. We all know how bad security on that stuff really is (think |
| 28 |
factory default user admin pass admin, and never changed). |
| 29 |
|
| 30 |
Find an exploit for these things and load lame zone files for some major |
| 31 |
banks and other juicy target pointing at my malware. The owners of this |
| 32 |
kit will never notice I did this. The router's DNS cache will trust the |
| 33 |
authoritative zone it has loaded even though it's orphaned. |
| 34 |
|
| 35 |
Awesome thanks. I just 0wned the internet for that entire business. And |
| 36 |
9 out of 10 of those businesses will never find it. |
| 37 |
|
| 38 |
Solution: obey best practice. Never run auth and cache on the same |
| 39 |
address. On the same machine is fine, they are different daemons. |
| 40 |
|
| 41 |
-- |
| 42 |
Alan McKinnon |
| 43 |
alan.mckinnon@×××××.com |
Archives