1998-01-09 11:03:16 +03:00
|
|
|
.\" $NetBSD: ns.me,v 1.2 1998/01/09 08:09:50 perry Exp $
|
|
|
|
.\"
|
1997-04-13 13:06:10 +04:00
|
|
|
.\" Copyright (c) 1986, 1988
|
|
|
|
.\" The Regents of the University of California. All rights reserved.
|
|
|
|
.\"
|
|
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
|
|
.\" modification, are permitted provided that the following conditions
|
|
|
|
.\" are met:
|
|
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
|
|
.\" 3. All advertising materials mentioning features or use of this software
|
|
|
|
.\" must display the following acknowledgement:
|
|
|
|
.\" This product includes software developed by the University of
|
|
|
|
.\" California, Berkeley and its contributors.
|
|
|
|
.\" 4. Neither the name of the University nor the names of its contributors
|
|
|
|
.\" may be used to endorse or promote products derived from this software
|
|
|
|
.\" without specific prior written permission.
|
|
|
|
.\"
|
|
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
.\" SUCH DAMAGE.
|
|
|
|
.\" -
|
|
|
|
.\" Portions Copyright (c) 1993 by Digital Equipment Corporation.
|
|
|
|
.\"
|
|
|
|
.\" Permission to use, copy, modify, and distribute this software for any
|
|
|
|
.\" purpose with or without fee is hereby granted, provided that the above
|
|
|
|
.\" copyright notice and this permission notice appear in all copies, and that
|
|
|
|
.\" the name of Digital Equipment Corporation not be used in advertising or
|
|
|
|
.\" publicity pertaining to distribution of the document or software without
|
|
|
|
.\" specific, written prior permission.
|
|
|
|
.\"
|
|
|
|
.\" THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
|
|
|
|
.\" WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
|
|
|
|
.\" OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DIGITAL EQUIPMENT
|
|
|
|
.\" CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
|
|
|
|
.\" DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
|
|
|
|
.\" PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
|
|
|
|
.\" ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
|
|
|
|
.\" SOFTWARE.
|
|
|
|
.\"
|
|
|
|
.\" @(#)ns.me 6.3 (Berkeley) 9/19/89
|
|
|
|
.\"
|
|
|
|
.sh 1 "The Name Service"
|
|
|
|
.pp
|
|
|
|
The basic function of the name server is to provide information about network
|
|
|
|
objects by answering queries. The specifications for this name server are
|
|
|
|
defined in RFC1034, RFC1035 and RFC974. These documents can be found in
|
|
|
|
\fI/usr/src/etc/named/doc\fP in 4.3BSD or \fIftp\fPed from
|
|
|
|
\fBftp.rs.internic.net\fP.
|
|
|
|
It is also recommended that you read the related manual pages,
|
|
|
|
\fInamed\fP\|(8),
|
|
|
|
\fIresolver\fP\|(3),
|
|
|
|
and \fIresolver\fP\|(5).
|
|
|
|
.pp
|
|
|
|
The advantage of using a name server over the host table lookup for host
|
|
|
|
name resolution is to avoid the need for a single centralized clearinghouse
|
|
|
|
for all names. The authority for this information can be delegated to the
|
|
|
|
different organizations on the network responsible for it.
|
|
|
|
.pp
|
|
|
|
The host table lookup routines require that the master file for the entire
|
|
|
|
network be maintained at a central location by a few people. This works
|
|
|
|
fine for small networks where there are only a few machines and the
|
|
|
|
different organizations responsible for them cooperate. But this does not
|
|
|
|
work well for large networks where machines cross organizational boundaries.
|
|
|
|
.pp
|
|
|
|
With the name server, the network can be broken into a hierarchy of domains.
|
|
|
|
The name space is organized as a tree according to organizational or
|
|
|
|
administrative boundaries.
|
|
|
|
Each node, called a \fIdomain\fP, is given a label, and the name of the
|
|
|
|
domain is the concatenation of all the labels of the domains from
|
|
|
|
the root to the current domain, listed from right to left separated by dots.
|
|
|
|
A label need only be unique within its domain.
|
|
|
|
The whole space is partitioned into several areas called \fIzones\fP,
|
|
|
|
each starting at a domain and extending down to the leaf domains or to
|
|
|
|
domains where other zones start.
|
|
|
|
Zones usually represent administrative boundaries.
|
|
|
|
An example of a host address for a host at the University of California,
|
|
|
|
Berkeley would look as follows:
|
|
|
|
.(b
|
|
|
|
\fImonet\fP\|\fB.\fP\|\fIBerkeley\fP\|\fB.\fP\|\fIEDU\fP
|
|
|
|
.)b
|
|
|
|
The top level domain for educational organizations is EDU;
|
|
|
|
Berkeley is a subdomain of EDU and monet is the name of the host.
|
|
|
|
.sh 1 Security
|
|
|
|
.pp
|
|
|
|
This section examines some of the know security implications of various
|
|
|
|
versions of BIND. Some of these have been used to attack the nameservers
|
|
|
|
in the past.
|
|
|
|
.sh 2 "Unnecessary Glue"
|
|
|
|
.pp
|
|
|
|
Unnecessary glue can lead to incorrect records being loaded into the
|
|
|
|
server. This can result in connections going to the wrong machines.
|
|
|
|
.pp
|
|
|
|
To prevent unnecessary glue being loaded, all the servers of zones being
|
|
|
|
servered by a server and the servers of the parent zones need to be
|
|
|
|
upgraded to BIND 4.9.3 or later.
|
|
|
|
.sh 2 "Insertion of data into a zone that is being servered"
|
|
|
|
.pp
|
|
|
|
BIND versions prior to BIND 4.9.2 are subject to the insertion of
|
|
|
|
resource records into zone that they are serving.
|
|
|
|
.sh 2 "Denial of Service: Hash Bug Exploit"
|
|
|
|
.pp
|
|
|
|
September 1996 saw the COM TLD subject to a denial of service attack by
|
|
|
|
injecting into the DNS a record with a final label of COM, eight spaces
|
|
|
|
and COM. This effected BIND 4.9.4 servers. Similar attacks are possible
|
|
|
|
on BIND 4.9.3 and BIND 4.9.3-P1.
|
|
|
|
.pp
|
|
|
|
It is recommend that you run a BIND 4.9.4-P1 or later server to avoid
|
|
|
|
this exploit.
|
|
|
|
.sh 2 "Denial of Service: TTL Inconsistency Attacks"
|
|
|
|
.pp
|
|
|
|
If you are still using multiple TTL values within a RRset you can be
|
|
|
|
subject to a denial of service attack. BIND 4.9.5 onwards uses multiple
|
|
|
|
ttl values within a RRset to reject obviously bad RRset.
|
|
|
|
.pp
|
|
|
|
It is recommend that you upgrade to BIND 4.9.5 or later as these server
|
|
|
|
prevent you loading multiple TTL values and doesn't merge answers received
|
|
|
|
across the network.
|