[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Subject: [IP] more on China DNS filters and collateral damage
Delivered-To: dfarber+@ux13.sp.cs.cmu.edu Date: Fri, 14 Nov 2003 22:38:13 +1100 From: Andrew Pam <xanni@glasswings.com.au> Subject: Re: [IP] China DNS filters and collateral damage To: Dave Farber <dave@farber.net> On Fri, Nov 14, 2003 at 06:11:19AM -0500, Dave Farber wrote: > Many of these university DNS servers are the same ones used for > recursive queries by the university's client hosts. While this is the default for the widely deployed BIND nameserver, it is a poor security practice. My professional advice to the system administrators would be to run resolving DNS servers on different hosts than their authoritative nameservers, which would not only alleviate the symptoms described but also reduce the vulnerability of the authoritative nameservers from exposure to the systems authorised to use them as resolvers. (For example, DoS and cache poisoning attacks.) Furthermore, this may eliminate the requirement to connect the authoritative nameservers to the internal network at all, thus also reducing the risk of exposure to external attacks against the nameservers - as indeed resulted in security breaches at many sites some years ago. Regards, Andrew Pam -- mailto:xanni@xanadu.net Andrew Pam http://www.xanadu.com.au/ Chief Scientist, Xanadu http://www.glasswings.com.au/ Technology Manager, Glass Wingshttp://www.sericyb.com.au/ Manager, Serious Cybernetics
------------------------------------- To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Powered by eList eXpress LLC