On Mon, 3 Apr 2000 [EMAIL PROTECTED] wrote:
> With all of the DNS vulnerabilities that keep popping up, I am
> trying to find a really secure DNS server. I don't need all of
> the bells and whistles, just a server that can answer DNS inquiries
> for domains I control. For my users, I can use a regular DNS
> server behind the firewall, but for global access, I need to have
If you're passing global DNS through the firewall, be aware that tunneling
over DNS is available, easy and worrysome.
> an authoritative DNS server for my domains that just can't be harmed.
>
> Any helpful suggestions would be greatly appreciated.
>
The answer is "it depends." Most of the Internet is running BIND, so
there are some cache poisoning attacks that are possible depending on a
few things (some of them controlable, others not.) Given that (a search
of BUGTRAQ should yeild a few), it's likely that "just can't be harmed" is
too high a bar in the current Internet environment.
If you're looking for a fairly clean reslover and associated server, DJB
has written DNSCache and TinyDNS. They're availalbe at:
http://cr.yp.to/dnscache.html
Note that unlike the original qmail license issues, Dan's currently of the
opinion that software licenses suck, so usage seems to be much more open.
I haven't run the "no license" thing past a lawyer though.
I've not personally used the tools yet, but I expect to use the resolver
library in some toys I'm currently planning on building. The project I
was looking for a resolver to use with had to go live pretty quickly, so I
punted to BIND's stuff. I'd put more base stock in DJB doing things well
from a security context than most folks though, so it merits
investigation.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
