• No results found

Securing External Name Servers

N/A
N/A
Protected

Academic year: 2021

Share "Securing External Name Servers"

Copied!
6
0
0

Loading.... (view fulltext now)

Full text

(1)

WHITEPAPER

Securing External Name Servers

(2)

This white paper discusses the critical nature of external name servers and examines the practice of using common makes of name servers in that role, as well as the Infoblox DNSone appliance-based solution.

The Function of External Name Servers

External name servers provide two important services to a corporate network: Resolving Internet domain names, usually on behalf of internal resolvers and name servers; and answering queries about the company’s domain names for name servers on the Internet. The former role is critical to accessing web sites, sending electronic mail, and just about any other use of the Internet by the company and its employees. The latter role is necessary to the company’s conducting business on the Internet, for access to the company’s web site, for inbound electronic mail delivery, and more. In well-designed DNS architectures, these roles are split between two sets of external name servers. In this paper, I’ll refer to the name servers that assist in the resolution of Internet domain names as “forwarders,” and to the name servers that answer queries about the company’s domain names as “authoritative name servers.” The diagram below depicts their locations and functions.

Figure 1: Roles of External Name Servers.

Internet Authoritative Name Servers Name Server Name Server Forwarders Company.com Network

(3)

Common Mistakes

Though most administrators recognize the importance of external name servers, the occasional misconfiguration or operational mistake is inevitable, largely because of the complexity of managing most name servers. For example, every administrator of a BIND name server—the preferred make of external name server—has made a mistake and introduced a syntax error into a named.conf file or zone data file. However, a syntax error in a zone data file, gone unnoticed, will render the name server unable to load that zone, and will result in a name server returning either old data or no data. Worse, a syntax error in the name server’s configuration file will prevent the name server from starting.

Many administrators don’t take the simple precaution of configuring their external name servers to process recursive queries only from internal IP addresses. This may be because they don’t know how or because they don’t understand the implications of leaving an external name server “open” to recursive queries.

A name server that allows recursive queries from arbitrary IP addresses is vulnerable to cache poisoning attacks, in which a hacker can induce the name server to cache fabricated data. In the most famous attack of this kind, Eugene Kashpureff poisoned the caches of hundreds of Internet name servers, leading them to direct users accessing

www.internic.net to the IP address of a web server run by an organization called the AlterNIC. It’s difficult to overstate the damage an attack like this could cause today: a hacker could redirect traffic intended for a bank’s web site to a web server with a replica of the site’s content, and steal account numbers and passwords; or siphon off traffic meant for a web-based merchant to an identical web site and capture credit card numbers.

With BIND name servers, upgrading to a new version of the software is non-trivial. Upgrading involves, at the very least, downloading new source code, compiling, testing, and installing it. In many cases, incompatibilities with previous versions of BIND force administrators to modify configurations or zone data or, worse, read documentation. Consequently, many administrators put off the crucial task of upgrading their name servers when new versions are released.

This can have disastrous effects. Months after a buffer overrun was discovered and patched in the BIND code, the Lion worm exploited the vulnerability to infect hundreds of name servers around the Internet. The worm also installed a “rootkit,” which the worm’s author (or anyone else familiar with the worm’s operation) could

(4)

Why Not Use a General-purpose Computer?

Most companies deploying external name servers—even those convinced of their importance—choose computers running general-purpose operating systems as their platform. This is a poor choice for several reasons:

• General-purpose operating systems require significant knowledge and effort to secure. Securing a UNIX OS requires understanding which network and system services should be disabled and how to disable them, which patches are necessary, which kernel modules and device drivers are needed and which are extraneous, how to configure UNIX packet filters, and much more.

• In addition to patching the OS, the name server code itself frequently needs to be upgraded to address vulnerabilities or simply to add new features. This usually must be done separately from upgrading the operating system.

• General-purpose OSes support user logins. Hackers can use these to gain administrator-level access to the operating system. Even in the best case, with secure logins and benign users, those users may inadvertently destabilize the operating system by installing software that consumes system resources, by filling disks, etc.

• Most general-purpose operating systems offer all-or-nothing administration: Either you can change any aspect of the name server’s configuration and zone data, or you can configure nothing. Giving a junior administrator limited access to the name server is nearly impossible.

• Configuration of a name server’s internal security mechanisms is difficult, and consequently often ignored by even seasoned administrators.

Internet DNSone Authoritative Name Server Name Server Name Server DNSone Forwarders Company.com Network

(5)

Why Use Infoblox DNSone

®

Solutions as Your External

Name Server?

The DNSone appliance-based approach makes setting up a secure, simple, and reliable external name server straightforward:

• The appliance is secure as shipped. The operating environment doesn’t include unnecessary network and system services, and the minimal kernel is built with only required device drivers.

• Patching the appliance requires just one button-click, and patches can upgrade both the name server software and the underlying operating system. Moreover, Infoblox alerts customers of the availability of important patches.

• It doesn’t support user logins, making it difficult for a hacker to gain a foothold on the appliance and impossible for users to degrade the operating environment. • The DNSone solution lets you create multiple administrators, each with different,

customizable privileges. One may only be able to modify the contents of a single zone or lease pool, while others have broader access.

• The GUI simplifies the configuration of the name server’s powerful internal security mechanisms. You can use DNSone’s graphical user interface to configure access lists for queries, recursive queries, zone transfers, or dynamic updates without understanding any arcane syntactic rules.

• The approach lets you consolidate all of your external name servers onto a single, integrated hardware and software platform that scales easily and maximizes staff effort. For more information, or to evaluate a DNSone solution as an external name server in your environment, please contact Infoblox at 1-866-463-6256 or email info@infoblox. com. Additional information is also available at www.infoblox.com.

About Infoblox

Infoblox (NYSE:BLOX) helps customers control their networks. Infoblox solutions help businesses automate complex network control functions to reduce costs and increase security and uptime. Our technology enables automatic discovery, real-time configuration and change management and compliance for network infrastructure, as well as critical network control functions such as DNS, DHCP and IP Address Management (IPAM) for applications and endpoint devices. Infoblox solutions help over 6,500 enterprises and service providers in 25 countries control their networks.

(6)

CORPORATE HEADQUARTERS:

+1.408.986.4000

+1.866.463.6256

(toll-free, U.S. and Canada)

info@infoblox.com

EMEA HEADQUARTERS:

+32.3.259.04.30

info-emea@infoblox.com

APAC HEADQUARTERS:

+852.3793.3428

sales-apac@infoblox.com

References

Related documents

FIS Race Director MIGNEREY Pierre (FIS) FIS Assistant Technical Delegate KADYKOV Georgy (RUS) Assistant

The Traffic Manager works correctly without access to external name servers, however you then have to use IP addresses instead of hostnames when setting up pools of servers,

(In addition to the procedure for UConn Health, there are given below special supporting detail required for UConn Health’s Deferred Maintenance/Code/ADA Renovation Sum and

Key words: Zooplankton assemblage, Hambantota port, Ballast water, Invasive Alien Species

Attach one wire to the Lockon spring clip terminal labeled “1” and connect it to the power terminal labeled “A”6. All Controller connections are illustrated in

healthcare professionals besides radiographers (radiology technologists) practice sonography to various degrees as part of their job, it may be difficult to determine the total

• A name server can ask a root name server for each name in the name space • Root name servers know the responsible servers for each top-level domain • On request, a root name

The local DNS asks the .com DNS the address of www.acme.com DNS Search Example ROOT DNS.ncat.edu me.ncat.edu COM DNS DNS.ACME.COM WWW.acme.com. me.ncat.edu needs the address