BIND chroot environment in 10-RELEASE...gone?
Mark Felder
feld at FreeBSD.org
Fri Dec 6 23:08:16 UTC 2013
On Fri, Dec 6, 2013, at 16:33, Mark Andrews wrote:
>
> In message
> <1386367748.17212.56515229.7C50AFEB at webmail.messagingengine.com>, Ma
> rk Felder writes:
> > On Fri, Dec 6, 2013, at 16:00, Mark Andrews wrote:
> > >
> > > But they should all be running a resursive validating resolver on
> > > every box.
> > >
> >
> > Are you *really* suggesting that I should run a recursive validating
> > server on every single server I admin?
>
> I'm suggesting that it should be run on *every* machine in the
> world, until all the applications that use data from the DNS have
> been upgraded to validate the data they get from the DNS, need to
> be be running a validating resolver.
>
> MiTM attacks happen all the time in the DNS.
>
> For mobile devices I would say "Don't leave home without one" to
> use a well know slogan.
>
In a world where every zone is signed (DNSSEC) I might agree, but what's
preventing your traffic from being a victim of a MITM attack when 99% of
the internet doesn't have DNSSEC deployed? Having a local resolver
doesn't improve your security in a statistically significant way.
I'm a small fish working in a small ISP, and I admin the DNS servers for
maybe 5000 zones. I have zero DNSSEC. In 2014 I expect to maybe have one
zone (ours) with DNSSEC. I do not even expect our customers to request
or understand DNSSEC by 2020 -- not even the local banks and credit
unions we are authoritative for.
On the other hand, running a new daemon on all of our servers -- many of
them lightweight VMs -- is likely out of the question; we're time
constrained as-is. (My DNS servers are on a trusted network; if they're
in our network we have a whole host of different problems. If they're on
the server itself nothing can be trusted; they'd just hijack the network
stack anyway.)
Anyway, this is just my two cents; the idea is noble and
well-intentioned but I don't think it will gain traction. Security is
always an uphill battle. :-( I'm honestly more worried about BGP route
hijacking / MiTM than DNS MiTM attacks. I appreciate your thoughts and
insight, though.
More information about the freebsd-stable
mailing list