[MLUG] RE: (MLUG) DNS?

["Deterding, Brent D" <EMAIL:PROTECTED>]

huh? You on crack? BIND is hit more than anything else, even IIS!

OK, in consideration of how widespread its use is it has had few
problems.
BUT, in consideration of how widespread its use is those few problems
are really big deals.

The problem is partially that the code has (had) holes.
The problem is partially that no one keeps it patched on their systems.

Either way - you look at 200+ BIND boxes on campus that can be exploited
and tell me its not a nightmare. 

"You need to turn off BIND."
"Why - I need DNS! Everyone needs DNS!"
"I know - that's why we have one big DNS server for campus."
"I don't want to suffer the performance hit of it going all the way
there."
"We have gig ethernet - response time isn't a consideration."
"BUT I WANT IT!"
"OK, upgrade it then."
"I don't know how."
"Then don't run it."
"But I need DNS!"
"Listen, turn it off or upgrade it or I will turn off your port."
"OK, OK!"
"What's the box used for anyway?"
"I dunno - it's been sitting in the corner of this lab forever."
"AUGH!!"

-- Brent

-----Original Message-----
From: "Spurling; Shannon " [mailto:EMAIL:PROTECTED]
Sent: Thursday, July 05, 2001 2:38 PM
To: EMAIL:PROTECTED
Subject: RE: (MLUG) DNS?


Why is BIND considered a security nightmare? There have been relatively
few
compromises for such a widely used and modified codebase.


Shannon Spurling
WAN Engineer -Specialist

MOREnet, Network Services, Core Network
3212 Le Mone Industrial Blvd.
Columbia, MO 65201

Main:(573) 884-7200   Fax:(573)884-6673

EMAIL:PROTECTED
EMAIL:PROTECTED

-----Original Message-----
From: Neil Bradshaw [mailto:EMAIL:PROTECTED]
Sent: Thursday, July 05, 2001 1:13 PM
To: EMAIL:PROTECTED
Subject: Re: [MLUG] DNS?


Whenever you use DHCP, it will automatically spit out a hostname for
you. You can have a local alias, but you need to use the hostname MU
gives
you (like mu-255255.dhcp.missouri.edu, where 255255 is the last two
octets
of your ip address (in this example, it would be 128.206.255.255)). If
you
don't use that hostname, the IAT Services secret police will find you.

Actually, we have no secret police. But you could cause network
problems by using DHCP IPs and illegal hostnames. No DNS servers would
point at that IP, so unless you make your own DNS and reverse DNS
lookups
probably won't work. And for the love of everything holy in this
universe,
do not make your own DNS server. BIND is a security nightmare, and
beyond
that it can be a real pain to set up. Not only that, if people start
pointing their DNS resolutions at your DNS sever and it congests the
network, your port might get shut off :( Beyond that, I believe it is
against MU policy for TCP SYN packets to be accepted on DHCP addresses
(basically meaning in a nutshell that you can't be a server on a DHCP
address). Obviously, we aren't going to beat you with a sucker rod if
you're using your machine to send yourself files remotely, but running a
server with a DHCP address isn't kosher as far as I know.

If you want a static IP and a hostname associated with your machine,
talk
to the help desk. I think there's a charge for getting one, and you're
most likely to be stuck in a subdomain unless you have good reason not
to
be there (like host.iats.missouri.edu or host.cecs.missouri.edu as
oppossed to host.missouri.edu).

Boom?

Regards,
Neil Bradshaw
"No soup for you, COME BACK TOMMORROW!"

IATS/MU: EMAIL:PROTECTED
Personal: EMAIL:PROTECTED
Web: http://web.missouri.edu/~npba45/


--
To manage your subscription, go to
http://mlug.missouri.edu/members/edit.php

Archives are available at http://mlug.missouri.edu/list-archives/
--
To manage your subscription, go to
http://mlug.missouri.edu/members/edit.php

Archives are available at http://mlug.missouri.edu/list-archives/
--
To manage your subscription, go to http://mlug.missouri.edu/members/edit.php

Archives are available at http://mlug.missouri.edu/list-archives/