First, don't allow BIND to run at root, says William Cox, an IT administrator at Thaumaturgix Inc., an IT services firm in New York. "The best way to limit your exposure is to run the server in a 'chrooted' environment," he says. "Chroot is a specific Unix command that limits a program to only a certain portion of the file system."
Second, Cox recommends breaking up DNS server farms to protect against getting knocked off the Web the way Microsoft and Yahoo were two weeks ago. He suggests keeping internal IP addresses on internal DNS servers that aren't open to Web traffic and spreading Internet-facing DNS servers around to different branch offices.
Still others are looking at Internet naming alternatives. One that's gaining popularity is named djbdns (cr.yp.to/djbdns.html), after Daniel Bernstein, author of Qmail, a more secure form of SendMail, says Elias Levy, chief technology officer at SecurityFocus.com, a San Mateo, Calif.-based Internet services company and list server for Bugtraq security alerts.
Diagnosis: Trojan Horse
Speaking of Bugtraq and the pervasive threat posed by vulnerabilities, Bugtraq issued a utility on Feb. 1 to its 37,000 subscribers, which was supposed to determine whether machines are vulnerable to the BIND buffer overflow. The program was delivered to Bugtraq via an anonymous source. It was checked by the Bugtraq technical team, then cross-checked by Santa Clara, Calif.-based Network Associates.
Turns out the program's binary shell was really a Trojan horse. Each time this diagnostic program was installed on a test machine, it sent denial-of-service packets to Network Associates, taking some of the security vendor's servers off the Net for as long as 90 minutes.
Oh, what a tangled Web we weave.