BIND recursive resolver exploit?

• Previous message: Installfest for Schools (Next Week)
• Next message: Good DSL routers
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I wrote:

> The obvious way to protect resolver libraries against even that much of
> a threat is to have /etc/resolv.conf point to a _local_
> recursive-resolver nameserver via 127.0.0.1, and ensure that the
> nameserver software package is one that randomises _its_ source ports
> for recursive-resolver queries:  BIND9's July 8th "P1" patches, djb's
> dnscache, PowerDNS Recursor, MaraDNS, or Unbound.

After re-researching this matter for the impending August issue of 
_Linux Gazette_, I still ended up with that same list, and detailed
them briefly in a sidebar as follows:

o  BIND9:  The only one yr. humble servant has used extensively.
   Maddeningly slow, bloated, overfeatured monolithic binary (optionally
   doing all other conceivable types of nameservice, as well).  Cryptic
   and brittle (but "standard", for better or worse) configuration and
   zonefile formats.

o  Unbound:  By design, excellent in all areas where BIND9 is
   lackluster.  The only obvious problem is that it's brand-new -- 
   which, in security-sensitive code, is a point of concern.

o  PowerDNS Recursor:  Dedicated recursor component (newly made
   available separately) of the respected do-it-all PowerDNS package.
   Probably requires a SQL database for back-end storage.  Fast.  
   PowerDNS as a whole -- but I'm not sure how much of this applies 
   to the separately packaged recursor -- is somewhat bloated, has an 
   over-large tree of required libraries and other dependencies), and 
   has a fair (but not stellar) reputation for security.

o  dnscache:  Dan Bernstein's caching recursive-resolver, part of the 
   djbdns suite, and the first to randomise source ports as a security 
   precaution.  Eccentric style of coding and operation.  (Let me just 
   leave it at that.)  Unsurpassed security history.  Said to be a bit 
   of a challenge to set up, and at present you must immediately patch 
   it to compensate for Dan not having maintained it since 2001.  Has 
   problems resolving some domains (such as Akamai), and in general 
   is by design a bit underfeatured, which accounts in part for
   both its superb security history and its problem areas.

o  MaraDNS:  Lightweight, fast, and well-maintained.  Like BIND9, does
   all conceivable DNS roles, but without the bloat.  Excellent security.

• Previous message: Installfest for Schools (Next Week)
• Next message: Good DSL routers
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]