[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: DNS cache poisoning?
> Your first step should be to remove your DNS services
> from that WinNT box to something that is less vulnerable and
> start using a BIND based DNS solution
I'd agree wholeheartedly with the first part of this. But:
There are other DNS servers available for UNIX/Linux that are
even less vulnerable than BIND. BIND is pretty good, but still
has "features" that are unnecessary and any unnecessary code
can contain vulnerabilities. I use a package called "DJBDNS"
(see: http://cr.yp.to/) that is a little more work to set up
but which, one running, is *very* stable. It's also easier to
keep the zone files maintained: they're a different format
from BIND, but simpler to update.
One thing that many people find makes DJBDNS harder is that
it uses different programs for running a DNS cache and for
supplying master sources of DNS data, so for most people
both have to be set up, but each is individually easier to
set up *safely* than BIND. It is also much more conservative
than BIND about adding the "additional" records in a response
to the cache, and this makes it almost impossible to poison
the cache program.
Just my 2p-worth. don't get the impression BIND is dangerous:
it isn't; but it is possible to do even better.