SVLUG: Cricket Liu on Securing Internet Name Servers
Cricket Liu, Vice-President of Architecture, Infoblox gave a good talk on “Securing Internet Name Servers” at the Silicon Valley Linux Users’ Group tonite.
Cricket is the author of the O’Reilly book DNS and BIND, and also the DNS & BIND Cookbook.
He discussed both general issues with securing DNS, as well as specific historical attacks such as unrelated record data cache poisoning and a couple of DNS DoS attacks.
The Microsoft 48-hour DNS failure overview was entertaining. One of their technicians misconfigured a router, cutting off their 4 DNS servers from the Internet. Then when they fixed the router, their Windows-based DNS servers fell over from the load. Then a DoS attack on the one router (single point of failure) cut them off again. Verisign noticed that their root server was getting a lot more traffic than normal, and that was mostly due to queries for microsoft.com and update.microsoft.com.
Also, BIND supports 64k zone transfers, which can crash some versions of Microsoft DSN servers, which only expect up to 16k.
He went over some basic configuration recommendations, like splitting authoritative and recursive nameservers onto separate hosts for easier secure configuration and performance, disabling BIND’s version response, and enabling zone transfers only for slaves.
Cricket described how root servers don’t use a single nameserver. Root servers use BGP anycast to do geographically distributed nameservers for nearest lookup, with load-balancing at individual colos across dozens of servers.
He commented that djbdns is remarkable in some ways, but outdated now if you want to use newer DNS features. Also, you may need to separate IP addresses if you want both authoritative and recursive queries, which is overkill for an intranet.
He also demonstrated the free Cricket Liu’s DNS Advisor tool while pointing it at a few public web sites. It does 50 checks on publicly-available nameservers.
Cricket recommends Rob Thomas’ secure bind template.
My understanding is that initially Cricket got heavily involved with DNS at HP.
Cricket and Matt Larsen joined Verisign when Verisign bought their small company, Acme Byte and Wire, several years ago. Cricket spent a year at Verisign, then joined Infoblox a few years ago. Infoblox is an east-coast company that got involved in creating and selling appliances for various purposes, now including DNS and DHCP. Matt is still at Verisign as a Principal Engineer.
The advantage of using an Infoblox DNS appliance is to use a convenient UI for advanced configuration like TSIG mgmt. and load balancing, and to gain the performance benefits of using an optimized appliance.