[dns-operations] Best Practices in DNS security

Paul Vixie paul at vix.com
Sun Mar 19 16:34:11 UTC 2006

# > > Exposing Windows boxes to the internet isn't a smart thing to do.

when i was just a lad, it was believed that any computer exposed to the
internet had to have its operating system purpose-built and then checked
by multiple wizards and then watched very carefully.  in 1989 or so, i
ran "gatekeeper.dec.com" and "decwrl.dec.com" and "clepsydra.dec.com"
when they were the only dec.com hosts out of a pool of a hundred thousand
or so that were allowed to be touched by internet-sourced packets.  these
were UNIX machines and the ops team was the best and brightest available
in the industry at that time.  and we STILL got broken into, as markoff's
book "cypherpunks" explains in detail.

the idea that anyone would connect any computer "to the internet" without
this level of pre-work and detailed planning and operational monitoring,
still sends shivers down my spine.  or that anyone would outsource their
firewall to an appliance or a GUI rather than looking at raw forwarding
rules and understanding the complex interactions.  running without a
firewall isn't much worse than running a firewall you can't understand.

it's not the windows boxes that scare me, it's the people who connect them
to the toxic waste dump known as "the internet" without the faintest clue
about what awaits them there.  windows, mac/os, linux, bsd, it's all the
same to me -- any of them can be made secure, none of them will be secure
out of the box or using any standard feature or non-wizard config knobs.
only wizards are even marginally safe, and even for wizards, margins are slim.

# > Guys, 90% of the computers exposed to the net are windows, so can we drop
# > the attitude and at least TRY to deal with reality for this discussion?
# We are discussing name servers. It is definitely not the case that 90% of
# the *name servers* run Windows.  If we feel that running name servers on
# Windows is a significant problem, we should point out that problem, and
# suggest better platforms.

if someone has an operational requirement such as "Windows AD" that means
they have to run MSDNS for their authority service, and if MSDNS has known
defects when running as a recursive nameserver, and if i'm otherwise right
that all mixed-mode (authority+recursive in same server images) are in
violation of RFC 1035 (in spite of what RFC 1035 says about them), then the
endpoint of the decision tree is buying vmware so you can run multiple
versions of windows on the same box, or buying another box for recursive
nameservice, or adding recursive nameservice to some other box in the
network that would not normally have this function.  i know that BIND9, at
least, runs fine on windows, so there is at least one free high-quality
recursive DNS implementation available, even if you're a windows-only shop.

More information about the dns-operations mailing list