[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Paranoid question regarding Bind

To: SLaSH <slash@arbornet.org>
Subject: Re: Paranoid question regarding Bind
From: Gunnar Wolf <gwolf@campus.iztacala.unam.mx>
Date: Thu, 1 Nov 2001 15:55:29 -0600 (CST)
Cc: Rémi Guyomarch <rguyom@pobox.com>,<misc@openbsd.org>

> make sure that both your bind daemons run in a different chroot'ed
> environment. That helps security a lot. If a bad cracker compromises
> your daemon he won't have much to show for ;)

That would not help much - The particular vulnerability that Nessus told
me about was DNS poisoning - The attacker never compromises your system;
however, he can make Bind resolve to incorrect addresses when a client
asks it for something. This can lead to minor jokes, to your clients
blaming you for having a bad network setup, or to the attacker
redirecting, say, a popular site to his machine, stealing confidential
user information.

Greetings,

------------------------------------------------------------
Gunnar Wolf - gwolf@campus.iztacala.unam.mx - (+52)5623-1118
Desarrollo y Admon. de Sistemas en Red - FES Iztacala - UNAM
Departamento de Seguridad en Computo   -   DGSCA    -   UNAM
------------------------------------------------------------
Quidquid latine dictum sit, altum viditur.

References:
- Re: Paranoid question regarding Bind
  - From: SLaSH <slash@arbornet.org>

Prev by Date: RE: 3.0 CDs with audio track ?
Next by Date: RE: 3CDs in a *regular case*
Prev by thread: Re: Paranoid question regarding Bind
Next by thread: Re: Paranoid question regarding Bind
Index(es):
- Date
- Thread