On Fri, 2016-09-23 at 20:21 -0400, Bill Cole wrote: Almost every week on this list you can see examples of people who are > nominally and operationally sysadmins who have followed poor config > advice found in dubious corners of the net or even on stale pages of the > SA wiki, and the same class of error is a big risk of using BIND because > of its age and breadth of capability. On a more theoretical level, the > fact that BIND is able to do virtually anything that anyone would ever > want to do with a DNS server means that it is has a broader potential > attack surface in itself and is a richer prize if hijacked, either > directly or as a consequence of a general system compromise. > > On 23 Sep 2016, at 16:10, Lindsay Haisley wrote: > > > > > > On Fri, 2016-09-23 at 15:28 -0400, Bill Cole wrote: > > > > > > > > > As much as I love BIND (no, seriously, I do) it's very hard to > > > recommend > > > it as the first choice for a simple recursive resolver. > > Setting up bind as a "simple recursive resolver" is simplicity itself. > Simplicity is generally a subjective, relative quality. > > Start Unbound with literally no explicit configuration and you get a > working, safe, reasonably-configured resolver for localhost: the simple > sort of resolver that a plurality of freestanding mail servers should > have, perfect as a fix for the mistake of using dnsmasq locally. It's > very hard to typo a config that doesn't exist. > > > > > > > acl goodclients { > > 1.2.3.0/24; > > 4.5.6.0/24; > > 127.0.0.1; > > etc.... > > }; > > > > options { > > ...... > > > > recursion yes; > > allow-query { goodclients; }; > > > > etc... > > }; > That's more than most mail server resolvers need and the real devil is > in what could be in those ellipses...
The lines represented by ellipses are what's in the stock /etc/bin/named.conf.options file and aren't relevant to the issue of setting up a recursive DNS server. Check out the URL I sent, or the standard bind config on Debian or Ubuntu Server. > Almost every week on this list you can see examples of people who are > nominally and operationally sysadmins who have followed poor config > advice found in dubious corners of the net or even on stale pages of the > SA wiki, and the same class of error is a big risk of using BIND because > of its age and breadth of capability. On a more theoretical level, the > fact that BIND is able to do virtually anything that anyone would ever > want to do with a DNS server means that it is has a broader potential > attack surface in itself and is a richer prize if hijacked, either > directly or as a consequence of a general system compromise. Well, these few config options for bind9 work fine for me :) And they always have. I've never had a problem. This ain't rocket science, as they say, and there's plenty of documentation out there. I'm not scared of bind configuration. I know how to make bind9 stand up and make pancakes for breakfast ;) -- Lindsay Haisley | "Humor will get you through times of no humor FMP Computer Services | better than no humor will get you through 512-259-1190 | times of humor." http://www.fmp.com | - Butch Hancock