[vox-tech] DNS and security

ME dugan at passwall.com
Wed Aug 17 00:51:58 PDT 2005


Cylar Z said:
> Hey all,
>
> I'm a fairly new Linux admin, running Fedora Core from
> Redhat.  Two questions:
>
> 1. Outgoing DNS isn't working properly on my server.
> The box will respond properly to incoming http
> requests (and even allowed me to host 2 virtual
> domains, which also respond properly). However, it
> does NOT surf the web from the console or ping by
> domain name. It WILL ping by IP so I know the issue is
> DNS and not my actual connection per se. How do I put
> in the DNS info in Fedora Core?
> I tried logging on as
> root, typing "setup" and entering the IP's in the
> designated spaces, but no luck. Is there another way?

edit the file /etc/resolv.conf and add your nameservers there.
eg:
search yourdomain.example.com
nameserver IP.ADDRESS.WITH.NUMBERS
nameserver IP.ADDRESS.WITH.NUMBERS
nameserver IP.ADDRESS.WITH.NUMBERS

Repeat each nameserver lines with as many as you have.

What is more likely the problem? You may have selected a
filtering/firewall policy that is so restrictive as to disallow incoming
port 53 UDP requests, or responses from your DNS.

> 2. In the interest of system security, I want to run
> the absolute minimum number of daemons/services. Which
> ones do I really, really need? So far I've established
> that I need httpd, sshd, sendmail, xinetd, and
> possibly cron. Are there any others that are suggested
> that I be running? This server responds to web
> requests and lets me SSH in remotely. (I don't use
> Telnet.) That's about all it needs to do.
I do not use FC, but those seem ok.

Why do you need xinetd?

crond should not be network enabled, so its risk is mostly one of local
violations if security holes are found with it. Also, cron is expected to
be there for many distro-specific tasks and updates, like mandb, and
updatedb, log rotate, etc.

SSH v1 is not happy. Make sure you ssh server enforces sshv2 only.

> Also, is FTP a security risk, or is it safe to leave
> this port open?
ftp and telnet suffer from plain-text authentication, and being sniffed on
the wire with credential theft. If you ftp is just anonymous, who care
about credential theft?
ftp is another service, and if you do not need it, why enable it?

As for DNS Security, Dan Kaminsky has published a few papers and tools for
allowing information leakage through DNS by users on a network that allows
DNS lookups by users. Some of the ideas are amusing. There is a
theoretical method to defeat many of them, but nothing written AFAIK.

Not likely to be a problem with a web-server-only system, it is only
mentioned here because of the topic.

-ME



More information about the vox-tech mailing list