[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: bind: mine or my ISP's? + proxy propaganda (was: what's internet-zahav and NV's nameservers?)



On Mon, 18 Jan 1999, Ira Abramov wrote:

> BIND 8  is pretty secure, and you can disable its listening on undesired
> ports (i.e. answering only for localhost for instance). I was just at a
> good security lecture 2 weeks ago (given by Jim Dennis, Answer Guy on the
> Linux Gazette) and he claims that dialups are definitly BEING scanned by
> hackers, and are hacked into, and he says it really is worth your while to
> take 15 minutes to set up some firewalling rules.

this is rather certain. when i was young (i.e pretty unaware of 'security
life') i had all default daemons running. when i realized what i was
doing, i scanned the logs, and found various connections to my ftpd and
telnetd from semi-random addresses.

> I'd simply block port
> 53/tcp for incoming connections and forget about over half your worries,
> then I think there is a way to nicely block DNS responses from servers you
> have not queried, etc.

up until this line, i thought i'd say "yes, do what he sais". but now that
you mention that simple blocking is not enough.... oh well. 

> > 2. install bind in a full version, and edit your '/etc/resolv.conf' file,
> >     adding '127.0.0.1' (your local host's address) there.
> > 
> >   disadvantages: security risk (a-la frodo's remarks). taking up more
> >              memory resources on your local PC. initial name lookups
> >              are slower thenin the first case, since the whoole lookup
> 
> difference in first lookup time is under 1ms, I wouldn't even give it a
> thought, and as for memory... I have a busy server here, main DNS of the
> intranet, and it's only 1.3 megs in memory. that's a good sacrifice for a
> faster name resolution on dialups, especially with 32 megs and up of
> system memory, and then it would probably take less memory too (how much
> does it take on YOUR machine?)

sorry. there was an implicit (now to become explicit) assumption that the
person who was asking this, was refering to a machine connected to the
internet with a dialup connection (which has a 200ms or 300ms turn-around
latency). all my 'calculation' and conclusions are relevant to such a
situation. ofcourse if you have a faster connections, this is completely
different. next time i'll try to state such implicit assumptions.

and btw (this is just a teaser) the first lookup delay may be way more
then 1ms, since the delay between you and your provider is usually few
10s of milliseconds (unless you have a LAN connection to them, or some
other type of link i'm not aware of). but ofcourse, this is irelevant,
and running a local DNS when you have a direct connection to some ISP, and
you have a local network, and not a single workstation, this is a
completely different story.

and btw, regarding the URL comment of frodo, i would add that one may even
try to run a local proxy server, configured to pool data from their ISP's
proxy server. i've done it once as a smallish excersize, and even with the
small disk space i gave it, it had some advantages over using the cache of
the web browser :

1. if there is more one person at home that uses netscape (with their own
   accounts), the proxy will give you a combined cache.

2. you still avoid local DNS queries, as your proxy forwrds all requests
   to its upwards proxy (your ISP's proxy).

3. you avoid the bugs (or miss-features) of how netscape/lynx handle
   caching. you also have more control over your cache, as all proxy
   servers i'm familiar with have real configurable parameters, unlike
   web browsers (and lynx has no disk cache, and a rather lousy memory
   cache).

4. you can use some 'web scannning' program to scan a portion of a web
   site, and then view it offline (most proxies can be configured to work
   in an 'off-line mode'.

5. you get to learn about installing and configuring a proxy server.

 guy