[dns-operations] Best Practices in DNS security
David Ulevitch
davidu at everydns.net
Fri Mar 17 19:37:42 UTC 2006
On Mar 17, 2006, at 9:33 AM, Matt Ghali wrote:
> On Fri, 17 Mar 2006, Peter Dambier wrote:
>
>> Best source I can imgine:
>>
>> http://cr.yp.to/djbdns.html
>>
>> I dont want to propose you install djbdns but then you would split
>> authority and resolver on different ip addresses fafourably on
>> different
>> machines. I does make sense to use virtual machines. Seen from an
>> intruder they are still separate machines.
>
> as much as I resent seeing djb-ware in a message with the phrase
> 'Best Practices' in the subject line, I am open to reasons why this
> is a better idea than simply having two different correctly
> configured BIND 9 instances listening on two different interfaces of
> the same machine.
I don't know what Peter means, but personally I think two daemons is
more than sufficient.
Two machines is not that much more secure and more overhead/
management/etc... :-)
-david
More information about the dns-operations
mailing list