[dns-operations] Checklist for DNS server implementations

Fred Morris m3047 at m3047.net
Wed Jun 15 21:02:58 UTC 2022

Self explanatory? Like an OWASP top ten?


I'm implementing a service to query $some_data via the DNS as a
convenience. I've done this before, several times, and usually to break
the DNS in some fashion or other, but this time I'm actually trying to
faithfully present data. Plus, it's nominally exposed to at least part
of the big bad internet, which I've always avoided in the past.

So for starters, this service won't be directly exposed. I intend to use
the DNS for caching / proxying, in other words the actual DNS server
which will be exposed to the internet will be e.g. BIND, Knot, Unbound
(and it will forward to the service for that zone). I'm viewing that as
similar to a WAF. It's read only, it has no ability to write data. It
will serve TXT records. [0]

What's BCP? Thanks in advance...


Fred Morris


[0] I'm going back and forth on requiring TXT in the query or just
returning it regardless.

More information about the dns-operations mailing list