Chris Moore said: - > Blinding logic, perfect reasoning, well argued.
Thank you ;-) > What is the impact of running BIND (or dig) on my server(s)? I don't think that you actually need to run BIND for ASSP. If you want to, then that would solve the problems that some others have experienced and mentioned on this list with DNS lookups. The load represented by running BIND is very low. As an extreme case, I've had this running on a very low end machine, with only 32 MB of RAM. Not recommended, and it was very slow to reload some 600 zones, but it worked fine. As a stub resolver only, the additional load represented on your (modern) server from running BIND locally, as opposed to making remote DNS lookup calls, is likely to be negligible - and it will probably be faster overall. I don't have any firm figures, but I'd be surprised if running dig was substantially different to running Net::DNS::Resolver. Dig is complied, Net::DNS::Resolver is interpreted Perl, so dig might well be slightly more "efficient". > Does BIND interfere with Microsoft settings or values? W2K and onwards expects to use (Microsoft) DNS as part of Active Directory. I would make two suggestions in this regard: - 1 Use a stand-alone server for ASSP, not a Domain Controller. This applies whether or not you're running BIND, BTW. As a general principle, it's wise to separate functions between machines. Then, if one machine fails, you don't lose everything. It also helps to control the load. 2 If you choose to run BIND, then disable the Microsoft DNS service. You can't have two services responding to the same port on the same IP address. Note that BIND has all the hooks & features required for dynamic DNS, and it can be used to do all that Microsoft DNS does - in a more RFC compliant manner. I haven't done this myself, but I know of others who have done so. Again, I wouldn't recommend this for your ASSP server. > Does BIND pose a security threat to my server(s)? Like anything else, BIND has had its share of vulnerabilities. AFAIK, the current version of BIND - 9.3.2-P2 - has nothing major. There is at least one Windows specific issue that's due to be fixed by the next release. It's already in 9.3.3rc3 The vulnerabilities that do exist mostly relate to obscure features that you're unlikely to be using, and involve a DoS attack. You can protect yourself against (all?) of these by disabling access to your BIND service by others outside your network. There are also some Windows-specific patches. DNS people have a very low tolerance threshold for security vulnerabilities, due to the critical nature of DNS. BIND is the same software that runs on (most of) the 13 Root servers that the entire Internet depends on. In 10 years, I've only had one machine trashed by a "hacker" - and that was a Linux box, years ago ;-) So, yes, while some vulnerabilities exist, no, I would suggest that BIND 9.x doesn't pose a noticeable security threat to your servers at all. A little OT history: BIND 4 worked fine, but had limited features. BIND 8 had lots of features, but had some significant vulnerabilities. BIND 9 is fine - it has the features without the vulnerabilities. If you're considering running BIND (on Windows or otherwise) for purposes other than ASSP, then I'd suggest that you follow the accepted wisdom (unlike me!) and separate the authoritative name server function (answering questions about your DNS zones for the world) from the recursive resolver function (answering questions about other DNS zones in the world for your network). The views expressed above, are, of course, personal opinions. HTH. Kind regards, William Stucke ZAnet Internet Services (Pty) Ltd [EMAIL PROTECTED] 083-308-0700 - WFS 074-333-0109 - Office 086-502-9444 - Fax http://www.zanet.co.za ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user
