Re: DNS recommendations

From: Jem Berkes (jb_at_users.pc9.org)
Date: 12/14/04 

Date: 14 Dec 2004 18:35:58 GMT

>> Bind looks like it will do all we need, but we've heard a number of
>> security concerns with bind.
>
> Bind can run as user within a chroot jail with no problems. Adding
> some kernel patch like grsecurity to limit what processes can do under
> chroot will give you a fairly good setup to begin with.

While BIND can be locked down to some degree, I am still very suspicious of
the software. I mean, how many remote root holes do you find in software
before you just write it off as poorly designed, broken, hopeless? I don't
know about recent versions, but past versions used tons of resources.

Serving DNS queries is a simple task - it doesn't require local
authentication or privileges. It really amazes me how this DNS server,
BIND, has been such a network security problem historically.

I have tried djbdns in the past, and think it's a well written piece of
software. However, its installation style didn't agree with me at all. But
if I really had to set up a DNS server, I would still go with djbdns over
BIND. At the moment I only serve DNS for spam block list queries, which is
much easier than full fledged DNS. 

-- 
Jem Berkes
Windows, UNIX software and system design
http://www.pc-tools.net/
Quantcast