Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia


Chronological Thread 
  • From: "Niels Dettenbach (Syndicat IT&Internet)" <nd AT syndicat.com>
  • To: discuss AT lists.opennicproject.org
  • Subject: Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia
  • Date: Thu, 03 May 2012 22:24:03 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



Alex <coyo AT darkdna.net> schrieb:

>> As a first starting point for security interested T1/T2 owners, we
>could
>> really try to have a "Secure OpenNIC Configuration" Wiki page where
>> detailed step-by-step instructions are given to secure your BIND
>> nameserver. What do you think?
>>
>Sounds like an excellent idea.

The main points of BIND security and setting up a widely secured (fully
security is alwas a non real status) named is very well documented by
different - more or less official - sources. From my view it makes sense to
point at them by links.

There are just a very few config parameters who are especially fitting all
T1/T2 operators which could be wikied, but the most important stuff comes
from elswhere.

A major point of security is to have many different installations - differing
by OS, distribution and network around. To work on just one security concept
for all would be contraproductive.

I.e. most openNIC docs are related to Ubuntu or Cent OS and all Linuxes. If
all or most operators use the same transparent documented config on the same
operating system this could be a very good source for potential attackers as
they know the target systems. So difference is very important here as
otherwhere in the DNS.

If you add a detailed, fixed emegency plan this would be a further source for
attackers as these are by principle incomplete.


>> Alex #1 really has good points on what might happen. We could try to
>> work out a Emergency/Desaster Plan for server owners that they can
>read
>> through, if someone really does bad.

This is not really possible except for some minor tips especially for openNIC
infrastructure. To run a halfway secure public DNS DNS and bind (or other dns
service software) knowledge is a must. OpenNIC would destroy reliability if
it targets low level, non skilled DNS operators as no DNS server often is
just/still better then a wrong one ß)

The only thing you truely can tell someone with a corrupted or instable
attacked DNS is to shut it down / take it away from openNIC as long as the
situation is not solved clearly.


just my two cents here,


Niels.
- --
Niels Dettenbach
Syndicat IT&Internet
http://www.syndicat.com
-----BEGIN PGP SIGNATURE-----
Version: APG v1.0.8

iIEEAREIAEEFAk+i6WM6HE5pZWxzIERldHRlbmJhY2ggKFN5bmRpY2F0IElUJklu
dGVybmV0KSA8bmRAc3luZGljYXQuY29tPgAKCRBU3ERlZRyiDVprAJ9LM6Jx09ed
8iISGvOCIgvJcCPIowCffWNolF7Oy5XsqB3J7lH9e0jvZZQ=
=Gtiv
-----END PGP SIGNATURE-----




Archive powered by MHonArc 2.6.19.

Top of Page