[dns-operations] Best Practices in DNS security

Peter Dambier peter at peter-dambier.de
Fri Mar 17 19:01:27 UTC 2006

Matt Ghali wrote:
> On Fri, 17 Mar 2006, Peter Dambier wrote:
>> Best source I can imgine:
>> http://cr.yp.to/djbdns.html
>> I dont want to propose you install djbdns but then you would split
>> authority and resolver on different ip addresses fafourably on different
>> machines. I does make sense to use virtual machines. Seen from an
>> intruder they are still separate machines.
> as much as I resent seeing djb-ware in a message with the phrase 'Best 
> Practices' in the subject line, I am open to reasons why this is a 
> better idea than simply having two different correctly configured BIND 9 
> instances listening on two different interfaces of the same machine.

It is not the software I am thinking about, it is Bernsteins critic about
DNS and Bind. We can learn a lot from him. Splitting authoritative server
and resolver was his idea.

> if there actually is value in figuring out the twisty path of djb-ware's 
> myriad of random third party patches, bizzare filesystem paths, and 
> microcosm of itty bitty codelets, i'm all ears.

You are right. It was a mess getting all the pieces together and making
them work. I can still see dnscache (the djbdns resolver) different from
bind. It helped me debugging zone files that only spordically showed
problems with bind but never worked with dnscache.

It is good for learning, studying and debugging. You might still use
bind for the real thing.

> otherwise, i'd be inclined to suggest that its much easier (based on 
> available documentation and howtos) to simply have BIND 9 do the same 
> thing.
>  matto
> --matt at snark.net------------------------------------------<darwin><
>               The only thing necessary for the triumph
>               of evil is for good men to do nothing. - Edmund Burke

Peter and Karin Dambier
The Public-Root Consortium
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.serveftp.com

More information about the dns-operations mailing list