1 |
On 16/12/2015 11:09, Tom H wrote: |
2 |
> On Wed, Dec 16, 2015 at 4:01 AM, Adam Carter <adamcarter3@×××××.com> wrote: |
3 |
>>> |
4 |
>>> There are several problems with your idea. First, the configured |
5 |
>>> |
6 |
>>> namservers in resolv.conf are caching servers, not authoritative |
7 |
>>> servers. You never configure an auth server to act as a cache. Yes, it |
8 |
>>> can be done. No, it's an awful idea and things break horribly. |
9 |
>> |
10 |
>> What breaks if you have caching and auth on the same server? I have been |
11 |
>> running my tiny home network this way for years. The local domain is |
12 |
>> properly delegated, but if you just wont a local domain that's not |
13 |
>> necessary. |
14 |
> |
15 |
> The ISC recommends separating authoritative and caching bind servers. |
16 |
> |
17 |
> The main reason that I can think of is that someone can poison the |
18 |
> cache of the domains for which a server's authoritative. |
19 |
> |
20 |
|
21 |
|
22 |
If I were a serious Cyber Kriminal, here's the avenue I'd be looking for: |
23 |
|
24 |
Find some vendor of low or medium end equipment (some, small business |
25 |
kit) that "helpfully" provides a combined DNS cache and auth server on |
26 |
the border router and just as helpfully announces this to the internal |
27 |
network. We all know how bad security on that stuff really is (think |
28 |
factory default user admin pass admin, and never changed). |
29 |
|
30 |
Find an exploit for these things and load lame zone files for some major |
31 |
banks and other juicy target pointing at my malware. The owners of this |
32 |
kit will never notice I did this. The router's DNS cache will trust the |
33 |
authoritative zone it has loaded even though it's orphaned. |
34 |
|
35 |
Awesome thanks. I just 0wned the internet for that entire business. And |
36 |
9 out of 10 of those businesses will never find it. |
37 |
|
38 |
Solution: obey best practice. Never run auth and cache on the same |
39 |
address. On the same machine is fine, they are different daemons. |
40 |
|
41 |
-- |
42 |
Alan McKinnon |
43 |
alan.mckinnon@×××××.com |