Re: DNS cache poisoning?

[David Pick <d.m.pick@xxxxxxxxxx>]

>     Your first step should be to remove your DNS services 
> from that WinNT box to something that is less vulnerable and 
> start using a BIND based DNS solution
<snip>

I'd agree wholeheartedly with the first part of this. But:

There are other DNS servers available for UNIX/Linux that are
even less vulnerable than BIND. BIND is pretty good, but still
has "features" that are unnecessary and any unnecessary code
can contain vulnerabilities. I use a package called "DJBDNS"
(see: http://cr.yp.to/) that is a little more work to set up
but which, one running, is *very* stable. It's also easier to
keep the zone files maintained: they're a different format
from BIND, but simpler to update.

One thing that many people find makes DJBDNS harder is that
it uses different programs for running a DNS cache and for
supplying master sources of DNS data, so for most people
both have to be set up, but each is individually easier to
set up *safely* than BIND. It is also much more conservative
than BIND about adding the "additional" records in a response
to the cache, and this makes it almost impossible to poison
the cache program.

Just my 2p-worth. don't get the impression BIND is dangerous:
it isn't; but it is possible to do even better.

-- 
	David Pick