On Tue, 7 Aug 2007, Kevin Oberman wrote:
This has been a pain for me for years. I have tried to reason with security people about this and, while they don't dispute my reasoning, they always end up saying that it is the "standard" practice and that, lacking any evidence of what it might be breaking, it will continue to be blocked. And I don't mean small companies, either. One of the biggest issues I have is with one of the countries largest government funded research labs.
Having worked on both sides of the fence, i.e. I was a card-carrying member of both ASIS and NFPA, I used grumbled about the kooky things sysadmins and programmers did in the name of "security" as much as I grumbled about the kooky things security folks did in the name of "security." Heck, if programmers only produced bug-free software and sysadmins kept only well configured systems, security people would have a lot less work to do. What are the industry best practices for keeping DNS servers secure? CERT publishes a document on securing DNS: <http://www.cert.org/archive/pdf/dns.pdf> NIST publishes a document on securing DNS: <http://csrc.nist.gov/fasp/FASPDocs/network-security/NISTSecuringDNS.htm> CMYRU publishes a document on securing DNS: <http://www.cymru.com/Documents/secure-bind-template.html> Microsoft publishes a document on securing DNS: <http://technet2.microsoft.com/WindowsServer/en/Library/0fe406eb-6ca2-4d95-9a18-aede7e931ca21033.mspx> IETF publishes a document on operational (including security) requirements for root DNS servers: <http://www.rfc-editor.org/rfc/rfc2870.txt> While there is a lot in common, they each also have variations and omissions. Especially when it comes to some possibly obscure interactions with many different protocols and applications. The relationships between IP, ICMP, TCP, UDP and DNS seems to be tough for many people to get right. When you add undocumented "common knowledge" and other applications leveraging DNS for all sorts of stuff besides name/address resolution, its the typical programmer generated pile of spaghetti. Its often simplier to wait for something to break before you fix it. I know many sysadmins, programmers and even security people, that use that philosphy to decide which things to work on today. The good thing about security folks (and their cousins, the auditors) is most are compliance driven. So if you get a new Industry Best Practice, often they will become your friend enforcing whatever that says. So what should the Industry Best Practice(s) for DNS servers (root, authoritative and recursive) be? And what should it say about the interaction between IP/ICMP and TCP/UDP? And maybe we'll even get G-Root to follow it.