[dns-operations] Best Practices in DNS security

David Ulevitch davidu at everydns.net
Fri Mar 17 19:37:42 UTC 2006


On Mar 17, 2006, at 9:33 AM, Matt Ghali wrote:

> On Fri, 17 Mar 2006, Peter Dambier wrote:
>
>> Best source I can imgine:
>>
>> http://cr.yp.to/djbdns.html
>>
>> I dont want to propose you install djbdns but then you would split
>> authority and resolver on different ip addresses fafourably on  
>> different
>> machines. I does make sense to use virtual machines. Seen from an
>> intruder they are still separate machines.
>
> as much as I resent seeing djb-ware in a message with the phrase
> 'Best Practices' in the subject line, I am open to reasons why this
> is a better idea than simply having two different correctly
> configured BIND 9 instances listening on two different interfaces of
> the same machine.

I don't know what Peter means, but personally I think two daemons is  
more than sufficient.

Two machines is not that much more secure and more overhead/ 
management/etc... :-)

-david




More information about the dns-operations mailing list