[KLUG Members] DNS question

Adam Williams members@kalamazoolinux.org
20 Jan 2002 16:19:01 -0500

Previous message: [KLUG Members] DNS question
Next message: [KLUG Members] DNS question
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>>We are getting ready to build a new machine with linux and a
>>newer version of dns. We are currently using 4.9.7 I believe and
>>we want to go to 8.x or 9.x.
>>Which version do you think is the best and has most of the
>>security bugs worked out.
>4.x is known to be riddled with security holes and denial of service
>holes.  8.x's reputation is not much better.

Late 8.x is not a terrible package,  but you're right, it certainly
isn't perfect.  4.x and early 8.x is BAD BAD BAD

>9.x's reputation is great, no known problems.  This is because they
>do not release its source code except to a high-paying cabal, so
>whatever security holes it has, only the black-hats know about them.
>If you prefer the danger you don't know to the one you do, then 9.x
>is for you.

Yes,  the license for 9.x is disturbing.
 
>On the other hand, there's djbdns, a completely open-source DNS
>server which offers a cash reward for anyone who can find a security
>hole in it.  Nobody's claimed it.  I've been running it on OpenBSD
>for the last year and it works great.

I'm interested in an alternative to bind,  mostly because bind seems to
enjoy making simple things hard by couching them in bizarre and
completely non-intuitive configuration.

I'm concerned about adopting a DNS that doesn't have a large-ish
developement team, as migrating from one DNS package to another is a
pain.

>I can't personally vouch for how well it scales, since I just use it
>for everyday use on my home LAN.  But the author claims it handles
>huge loads comparable to BIND 8.x or 9.x without exhibiting the same
>lockups and crashes, and I haven't seen anyone refute that claim.

I admin a pretty busy BIND 8.x, and for me it has been rock solid.  Some
grumbling messages in logs about duplicate notifications which I have
simply never been able to get rid of.  But other than that no problems,
and performance is very good (PPro 200, 64Mb, SCSI, 5 domains, ~200 busy
little clients).

For internal DNS I think BIND 8.x is perfectly adequate.  For real-world
DNS, leave the DNS up to your ISP whenever possible.  Make it their
problem.  Internal and external hosts should never share the same DNS
servers.

>http://www.djbdns.org/
>or http://cr.yp.to/djbdns/ which ironically does not seem to be
>resolving at the moment.  I wonder if there's trouble in the .to
>TLD.

There is also -

A DNS server written in Java (Why????) that actually looks very
interesting,  but unfortunately is written in Java (Oh, I mentioned
that) and has a broken download link.
http://customdns.sourceforge.net

A bind wanna be, been in stasis on sourceforge since 1999:
http://sourceforge.net/projects/dents/

A DNS server that uses an SQL backend.  The author somehow thinks this
equals "scalable",  I think it means he needs a CAT scan for some kind
of golf ball sized lump in his frontal lobe.
http://freshmeat.net/projects/dnsql/

An alpha and stalled cross platform DNS server
http://posadis.sourceforge.net/whatis.php

A *PUBLIC DOMAIN* (not even GPLd) DNS server that actually seems to be
under development again.  
http://www.maradns.org/

[...]
> Second, how much money do I get from ISC if I look at the BIND 9 code
> and find, for example, a bug letting attackers take over the server?

BIND, as default, no longer runs as root so I think some of the early
horror stories would be much harder to duplicate.  But I'd wager DOS is
still possible.

Previous message: [KLUG Members] DNS question
Next message: [KLUG Members] DNS question
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]