On Fri, 2016-09-23 at 20:21 -0400, Bill Cole wrote:
Almost every week on this list you can see examples of people who are
> nominally and operationally sysadmins who have followed poor config
> advice found in dubious corners of the net or even on stale pages of the
> SA wiki, and the same class of error is a big risk of using BIND because
> of its age and breadth of capability. On a more theoretical level, the
> fact that BIND is able to do virtually anything that anyone would ever
> want to do with a DNS server means that it is has a broader potential
> attack surface in itself and is a richer prize if hijacked, either
> directly or as a consequence of a general system compromise.
>
> On 23 Sep 2016, at 16:10, Lindsay Haisley wrote:
> >
> >
> > On Fri, 2016-09-23 at 15:28 -0400, Bill Cole wrote:
> > >
> > >
> > > As much as I love BIND (no, seriously, I do) it's very hard to
> > > recommend
> > > it as the first choice for a simple recursive resolver.
> > Setting up bind as a "simple recursive resolver" is simplicity itself.
> Simplicity is generally a subjective, relative quality.
>
> Start Unbound with literally no explicit configuration and you get a
> working, safe, reasonably-configured resolver for localhost: the simple
> sort of resolver that a plurality of freestanding mail servers should
> have, perfect as a fix for the mistake of using dnsmasq locally. It's
> very hard to typo a config that doesn't exist.
>
> >
> >
> > acl goodclients {
> > 1.2.3.0/24;
> > 4.5.6.0/24;
> > 127.0.0.1;
> > etc....
> > };
> >
> > options {
> > ......
> >
> > recursion yes;
> > allow-query { goodclients; };
> >
> > etc...
> > };
> That's more than most mail server resolvers need and the real devil is
> in what could be in those ellipses...
The lines represented by ellipses are what's in the stock
/etc/bin/named.conf.options file and aren't relevant to the issue of
setting up a recursive DNS server. Check out the URL I sent, or the
standard bind config on Debian or Ubuntu Server.
> Almost every week on this list you can see examples of people who are
> nominally and operationally sysadmins who have followed poor config
> advice found in dubious corners of the net or even on stale pages of the
> SA wiki, and the same class of error is a big risk of using BIND because
> of its age and breadth of capability. On a more theoretical level, the
> fact that BIND is able to do virtually anything that anyone would ever
> want to do with a DNS server means that it is has a broader potential
> attack surface in itself and is a richer prize if hijacked, either
> directly or as a consequence of a general system compromise.
Well, these few config options for bind9 work fine for me :) And they
always have. I've never had a problem.
This ain't rocket science, as they say, and there's plenty of
documentation out there. I'm not scared of bind configuration. I know
how to make bind9 stand up and make pancakes for breakfast ;)
--
Lindsay Haisley | "Humor will get you through times of no humor
FMP Computer Services | better than no humor will get you through
512-259-1190 | times of humor."
http://www.fmp.com | - Butch Hancock
