On 4/1/2010 9:19 PM, Barry Margolin wrote:
In article<mailman.1048.1270148466.21153.bind-us...@lists.isc.org>,
Kevin Darcy<k...@chrysler.com> wrote:
Re-use of source ports for DNS queries is a bad security practice. I
cast my vote in favor of penalizing it, in the default configuration of
any device that responds to DNS requests.
It's really not the job of a load balancer or server to force clients to
use good security practices.
Trouble is, when everyone carves out their little area of responsibility
such that enforcing good security practices is "not my job, man", then
very few things enforce security practices, and ultimately they don't
get enforced at all.
Certainly a load-balancer can legitimately refuse to serve queries that
are suspect, can it not? E.g. that are malformed in particular ways that
indicate hostile intent. So, where in the spectrum of "suspectness" can
we draw the line and say, everything on that side, I trust to answer,
and everything on the other side of the line, I don't? I think a client
that re-uses source ports is untrustworthy. Therefore I think it's a
reasonable default to decline to service queries from such clients.
I realize that such a default setting may not be very popular. A lot of,
er, unsophisticated customers for such devices may not realize or
understand the default setting and then may have a tough time
understanding why they have difficulty serving DNS to certain clients.
But this is a matter of notification/documentation and education. The
manual should have in big red letters "IF YOU WANT TO SUPPORT CERTAIN
LEGACY CLIENTS THAT DO NOT CONFORM TO BEST CURRENT SECURITY PRACTICES,
YOU NEED TO CHANGE THE DEFAULT SETTING". At least then, the customer is
made aware of the insecurity that they are enabling by changing the
setting. This may also be a factor if there is ever any question about
legal liability in the case of a security event.
I suspect this is actually a bug, but the vendor is using the security
value of it as an excuse to lower its priority.
That may also be true, if I were dealing with the vendor I'd point out
that if it is a deliberate security design, it should only be a default
and there *must* be a way to turn it off. I can think of lots of
internal environments where the clients and servers, and their
interaction is considered secure, but there is a re-use -- or apparent
re-use -- of source ports, and in those particular cases the
load-balancer shouldn't be refusing service. If there is no way to turn
off this "security feature", then it should be possible to embarrass the
vendor into admitting that it's really a bug rather than a designed-in
feature.
- Kevin
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
