% On Tue, 2003-05-27 at 09:30, Bill Manning wrote:
% > ----- Forwarded message from Bill Manning -----
% <snip>
% >
% > er, "a bit more effort" == one line of perl
% > if someone -wants- your DNS data and your server answers
% > queries, its theirs. the difficulty of constructing a
% > zone, a query at a time, is trivial.
%
% You're assuming that the average script kiddie either knows perl, or has
% a tool available. Yes, both animals are probably out there, and for
% them, it is trivial. But for the multitude of kiddies that DON'T know
% perl, or how to find such a tool, blocking zone transfers to
% unauthorized hosts is NOT a bad idea. There is virtually no performance
% hit on the server, and you're not denying service to valid hosts, I see
% no reason not to take this additional step. It's been said before and
% I'll say it again: Security through obscurity is an acceptable piece of
% a good security scheme.
no, i presume that some kind soul has created the one
line of perl and that it has been integrated into a
"point/click" GUI that your ASK will download and use.
operationally, you now have to keep up with the list of
"valid" servers that are allowed to xfer zones. whats
one more "tiny, wafer-thin" special execption list to
track? :)
obscurity has its own allure.
% Purposefully allowing untrusted parties to get entire zones in one fell
% swoop is roughly akin to leaving a big pile of cash in your front yard
% with a sign that says "Please don't touch the money". If the money were
% locked up in a {house|vault|bank|etc} someone could still get at it if
% they wanted it bad enough, but you'd discourage the casual passerby from
% taking it.
but you are allowing random queries from "untrusted" parties?
thats like having a big pile of cash in your front yard and
telling folks that they can only take three bills at a time.
using the DNS protocols, zone xfr is a big'ol 12amp sweeper,
query wrapped w/ perl is a smaller 8amp sweeper and manual
query is a picking it up by hand. You still get the three
bills at a time, its just that the interval gets shorter... :)
now the analogy breaks down because unlike cash, DNS data
has a "freshness" component.
% > remember that the DNS is a public database. some folks
% > call it a public, hostile database. if you don't want
% > folsk to see your data, don't put it on the net.
%
% You are absolutely correct, it is a public, hostile database. And when
% you operate in hostile environs, you take every measure you can to
% protect yourself, or your data, in this case.
but its not your data... its public data. your job is to
ensure that folks on the net have access to it.
% Aaron Howell
% --
% Network/System Administrator
% Amerion, LLC
%
% -- Disclaimer --
% the opinions expressed in this email are solely my own, and do not
% reflect those of my employer, my government, or my dog.
%
%
--
--bill
Opinions expressed may not even be mine by the time you read them, and
certainly don't reflect those of any other entity (legal or otherwise).
|
