Securing Your DNS Server

At our March 2002 meeting, Cricket Liu of Men & Mice talked about security problems with various DNS implementations, including BIND and an un-named implementation still deployed and with security problems. He outlined how cache poisoning works, and how DNS servers can be lured into participating in denial-of-service attacks.

After discussing ISC's matrix of common BIND security flaws and drawing the conclusion that running the most recent version of Bind 8 (8.3.1 or 8.2.5) or Bind 9 (9.2.0) is a good idea, Cricket went on to discuss how to make these servers even more secure. Minimizing the number of services your DNS server provides and filtering incoming and outgoing traffic is a start; having BIND run in a chroot environment as a non-root user is even better.

With a server running in a secure environment, Cricket talked about how to configure BIND itself to reduce the potential for security flaws. For the full details, consult Cricket's presentation slides (pdf 347K).

October 23: Lustre & VirtualBox
Bryon Neitzel will discuss the Lustre File System architecture, and Ginnie Wray will demonstrate how to run the OpenSolaris OS with Sun's VirtualBox virtualization software.

Book Giveaway
We'll be making room for new books on our book cart by giving away some of our old security-related titles at this meeting. Come grab a book!

Web Application Security
The writeup from our last meeting with presentation slides is available in our meeting archive.

Future Meetings
Topics include:
Valgrind
Web GUI Programming