Bind Software diversity

Simon Waters Simon at wretched.demon.co.uk
Wed Aug 6 22:53:53 UTC 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jonathan de Boyne Pollard wrote:
> LV> what is the opinion of the bind community ?
>
> The opinion of "the BIND community" when asked, in essence, "Rather
than run
> the very latest version of BIND throughout, should I run different,
non-BIND,
> DNS server softwares?" is, I suspect, going to be the obvious one.

What, that like economists, there are at least as many views as members,
and possibly more views than that.

> are in fact 194.170.1.6 and 194.170.1.7.  These are also (two of) the
content
> DNS servers for "emirates.net.ae.".  (And thus, presumably,
194.170.1.99 is
> the third "public recursive server" that is not listed on your
organisation's
> web page.)  Because these are publically reachable IP addresses, you are
> providing resolving proxy DNS service to the world.  You thus haven't
followed
> the advice on page 321 of _DNS & BIND 4_.

That would be the advice to split authoritative servers from resolvers!?

> Another consequence of this is that anyone on the whole of Internet
> can cause your proxy DNS servers to do work, for which you pay the
network,
> storage, and processing costs.  (Remember: Even checking an access-control
> list and dropping a query is work.)

Where the NS addresses are fixed some ISPs like to leave resolving
servers accessible to the world for when clients plug their laptops into
other peoples networks, so they don't have to change DNS settings. With
DHCP supplying DNS in most places this is largely irrelevant.

If you must supply this, nothing says the recursive resolvers IP
addresses have to map to the same resolvers from inside and outside, but
that is getting quite paranoid and messy.

> Rather than concentrating upon software diversity, you should be
concentrating
> instead on the fundamentals of your service exposure.

Also the lack of off network authoritative server might be worth
reviewing, guess it depends how many off network services are referred
in the DNS. But for ISPs someone will always want to add one.
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/MYb/GFXfHI9FVgYRAqQIAKCcwhRcY0tulCsBjTFNfZ0GqbTW8gCfVmJl
fneSp5cMYJOBSwKV3+5t4Hg=
=qgF8
-----END PGP SIGNATURE-----

More information about the bind-users mailing list