LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-23-2009, 03:42 PM   #1
jonhanna
Member
 
Registered: Dec 2008
Posts: 31

Rep: Reputation: 15
i have a question over resolver and DNS


So I am trying to figure out resolver and I need to figure out how a resolver might attempt to find the IP address of the example domain? I dont know to much about a resolver and I was wondering if someone could help me.
My second question is for a project I am setting up and I need to figure out which part of the DNS is most vulnerable to an attack from a malicious user and why is this? I need to have a reason for this so if anyone could help me on this too, it would be greatly appreciated.
Thanks
 
Old 01-23-2009, 08:25 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,332
Blog Entries: 55

Rep: Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533
Quote:
Originally Posted by jonhanna View Post
I need to figure out how a resolver might attempt to find the IP address
For an explanation maybe start with Name Service and Resolver Configuration?


Quote:
Originally Posted by jonhanna View Post
I need to figure out which part of the DNS is most vulnerable to an attack
See www.cve.mitre.org, www.kb.cert.org, securityfocus.com and secunia.com and do some research using terms like DNS and vulnerability, Paul Vixie, Dan Kaminsky, Dancho Danchev


Quote:
Originally Posted by jonhanna View Post
(..) and why is this?
...which should give you a cornucopia of reasons, ranging from "simple" privilege escalations in software and 'net infrastructure crippling Root Server DDoS and identity theft to spoofed DNS recursion attacks, rebinding and cache poisoning attacks. (Also see 'net "economy" as in Russian Business Network, shadowserver as in botnet stats, shady marketing, typo-squatting, malware distribution.)
 
Old 01-24-2009, 07:08 AM   #3
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,059

Rep: Reputation: 883Reputation: 883Reputation: 883Reputation: 883Reputation: 883Reputation: 883Reputation: 883
...and bear in mind that DNS != Bind (ie, there are alternatives).
 
Old 01-24-2009, 07:10 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,332
Blog Entries: 55

Rep: Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533
Quote:
Originally Posted by salasi View Post
...and bear in mind that DNS != Bind (ie, there are alternatives).
Good one, I could have said that...
 
Old 01-25-2009, 09:37 AM   #5
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,059

Rep: Reputation: 883Reputation: 883Reputation: 883Reputation: 883Reputation: 883Reputation: 883Reputation: 883
If you were trying to say "I said that first", I'll also throw in this example from '07:

http://www.linuxquestions.org/questi...?highlight=dns

More seriously, I don't know why so many people think DNS is exactly equivalent to bind. Setting up Bind can be a bit of a pain, particularly when its chrooted and the history of Bind is not one that gives you a great deal of confidence that the current version is free of significant bugs.

Something like djbdns/dnsmasq/maradns/pdns is a better bet (imho) in simpler set ups, although there can still be a case for the Bind 'swiss army knife' for some of the more involved set-ups.

And, for a secure installation, with Bind, I think that you should know who is your security specialist, and that they check for security advisories on a very frequent basis.

This may be overkill for a small installation.

You may think I'm being paranoid (and you may be right), but most of the effort in trying to develop exploits seems to be expended against Bind rather than the alternatives and so I'm a bit more relaxed about the security situation with, say, djbdns than Bind.
 
Old 01-25-2009, 08:50 PM   #6
servat78
Member
 
Registered: Jan 2009
Posts: 100

Rep: Reputation: 17
I guess you will have to decide which DNS implementation you want to use, before figuring out the resolver mechanism. As for the attack issues - this seems rather to be a firewall/router topic, since these are better suited to deal with attacks. I would assume to have name servers always behind a firewall, it should be quite rare to have a name server as the only computer in an office. Otherwise putting 'named' in a jailroot seems to be quite common as a precaution move.

Debian

Last edited by servat78; 02-19-2009 at 12:18 PM.
 
Old 01-26-2009, 07:14 AM   #7
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,059

Rep: Reputation: 883Reputation: 883Reputation: 883Reputation: 883Reputation: 883Reputation: 883Reputation: 883
Quote:
Originally Posted by servat78 View Post
I guess you will have to decide which DNS implementation you want to use, before figuring out the resolver mechanism.
Not necessarily; understanding the protocol first seems like a very valid first step and that helps whichever resolver you eventually decide on.

Quote:
As for the attack issues - this seems rather to be a firewall/router topic, since these are better suited to deal with attacks.
I'm sorry, but not completely. If you look at the kaminsky exploit (for example here http://blog.invisibledenizen.org/200...ly-leaked.html or, for those of a more techie bent, here http://www.securiteam.com/exploits/5DP0L15OUY.html) the mechanism is such that the DNS resolver seems to be doing the kind of thing that a DNS resolver should be doing, so its unclear what a firewall should be doing to stop that (without breaking all of DNS).

If you have a blacklist of all those involved in the exploit, you could use that with your firewall ruleset, but isn't curing the fundamental problem better?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
strange thing with dns resolver Barq Linux - Networking 12 12-14-2007 10:11 PM
DNS Resolver Cache shipon_97 Linux - Newbie 4 04-25-2006 10:06 AM
The DNS-resolver doesn't work in my live-distro maxxflow Linux - Networking 9 05-23-2005 02:35 AM
dns client resolver Fraudulent SUSE / openSUSE 2 05-17-2005 11:12 AM
Resolver Error RTT Linux - Networking 4 04-07-2004 02:19 PM


All times are GMT -5. The time now is 04:34 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration