[dns-operations] Best Practices in DNS security

Geo. geoincidents at nls.net
Fri Mar 17 18:35:31 UTC 2006

> as much as I resent seeing djb-ware in a message with the phrase
> 'Best Practices' in the subject line, I am open to reasons why this
> is a better idea than simply having two different correctly
> configured BIND 9 instances listening on two different interfaces of
> the same machine.

Because there are an aweful lot of Windows servers out there running MSdns
and you can't run 2 instances of it on one machine. Not everyone runs bind.

If you are going to come up with a workable solution then it pretty much
needs to work for just about everyone. You can't have half the internet
saying no it doesn't work.

I've been trying to find a good solution for this for us but this whole
"lock down your recursive servers" thing is just a nightmare for most
smaller ISPs. There are problems other than just the number of dns servers
ISPs run.

For example we have our own IP block but we also have a leased nationwide
dialup service so customers can travel. So when a customer travels and the
local dns server (which I don't control) for that national node can't
resolve just one domain I fix that by setting them to use our recursive
servers since I do control them. (I can't flush the cache on some elses dns
server even though it affects my customer)

Not having that capability will cause a tremoundous headache as will dealing
with all the customers who aren't using dynamic assignment of their dns
servers. But nobody working on the fix ever considers how much of a headache
this stuff is going to cause because well it's the solution for their

Heck, just look at the problems blocking outbound smtp has caused and is
STILL causing today. Now we're going to open up another can of worms like
that for dns?


More information about the dns-operations mailing list