[dns-operations] Best Practices in DNS security

Matt Ghali matt at snark.net
Fri Mar 17 17:33:15 UTC 2006

On Fri, 17 Mar 2006, Peter Dambier wrote:

> Best source I can imgine:
> http://cr.yp.to/djbdns.html
> I dont want to propose you install djbdns but then you would split
> authority and resolver on different ip addresses fafourably on different
> machines. I does make sense to use virtual machines. Seen from an
> intruder they are still separate machines.

as much as I resent seeing djb-ware in a message with the phrase 
'Best Practices' in the subject line, I am open to reasons why this 
is a better idea than simply having two different correctly 
configured BIND 9 instances listening on two different interfaces of 
the same machine.

if there actually is value in figuring out the twisty path of 
djb-ware's myriad of random third party patches, bizzare filesystem 
paths, and microcosm of itty bitty codelets, i'm all ears.

otherwise, i'd be inclined to suggest that its much easier (based on 
available documentation and howtos) to simply have BIND 9 do the 
same thing.


--matt at snark.net------------------------------------------<darwin><
               The only thing necessary for the triumph
               of evil is for good men to do nothing. - Edmund Burke

More information about the dns-operations mailing list