[dns-operations] Best Practices in DNS security

Peter Dambier peter at peter-dambier.de
Fri Mar 17 23:10:32 UTC 2006

Matt Ghali wrote:
> On Fri, 17 Mar 2006, Geo. wrote:
>>Because there are an aweful lot of Windows servers out there running MSdns
>>and you can't run 2 instances of it on one machine. Not everyone runs bind.
>>If you are going to come up with a workable solution then it pretty much
>>needs to work for just about everyone. You can't have half the internet
>>saying no it doesn't work.
> I apologize for not coming up with a workable solution for people 
> who insist on using unworkable operating systems.
> Peter was recommending djbdns in lieu of BIND; I'd hazard a guess 
> that the platforms they both work on are a remarkably similar set- 
> and that they both probably include MS Windows. Where was the 
> problem here?

Just for curiousity, even windows can. I am running a laptop with
windows e(XP)erimental and CoLinux. Both the CoLinux and the windows can
use more than one ip-address. Both the windows and the CoLinux can run
Bind 9. Bind 9 and djbdns (both tinydns and dnscache) do coexist nicely
on the CoLinux running simultaneously.

No, I dont recommend you run two CoLinuxes as your host for two Bind 9s :)
No, it is not a good idea to use either the Bind 9 or the djbdns from
the CoLinux as nameserver for the windows. The bridge device sharing the
interface between the windows and the CoLinux cannot take it.

But you could. I am shure there exist better ways to run two incarnations
of Bind 9 on windows. I am shure most of us will agree that there exist
more secure operating systems than windows and with better performance
for the server too.

I guess much of the heck around windows will die when OS-X will become
an established operating system on the pc. It does run both Bind 9 and

There is a saying that MSdns is the only nameserver that will happyly
cache used horseshoes thrown at it. All you have to do is wrap the
horseshoe in a NetBIOS pocket. I dont remember the the url but I guess
it was on www.ccc.de and the text was in english. It ws bout DNS spoofing.

Apropos, we dont have enough different DNS-servers. Bind is close to a
monopoly. djbdns can do everything by fly or read the manual. I think
it is good for experimenting and for develloping your own nameserver but
it is not meant for production. Nevertheless there exist other
nameservers or do you think ".com" is running on Bind?

Peter and Karin

Peter and Karin Dambier
The Public-Root Consortium
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.serveftp.com

More information about the dns-operations mailing list