On Fri, 2016-09-23 at 20:21 -0400, Bill Cole wrote: > On a more theoretical level, the > fact that BIND is able to do virtually anything that anyone would ever > want to do with a DNS server means that it is has a broader potential > attack surface in itself and is a richer prize if hijacked, either > directly or as a consequence of a general system compromise.
Well bind9 seems to show up relatively rarely in CERT bulletins and pushed upgrades are rare enough to indicate to me that the current release for my server OS (BIND 9.9.5-3ubuntu0.8-Ubuntu (Extended Support Version)), which has been stable for 6 months, is pretty solid. Exploit exposure is only as extensive with a package of this sort as what one makes it to be. Both Canonical and ISC, the upstream maintainer, are fastidious about security, but it's always possible, through ignorance or carelessness, to make secure software insecure through misconfiguration. Setting stock bind9 up as a simple recursive name server is a no-brainer, however, as I noted. I'd be very happy to hear about exploits of bind9 set up with simple configuration as a recursive name server, with a proper acl. I keep my ear to the ground and haven't heard of such. FWIW, I'm far less impressed with the general level of system administration knowledge on this SA forum than I am with the apparent knowledge of people whose postings and offerings elsewhere on the Internet re. subjects such as named have been vetted and reviewed by competent peers, as is the way of the world with open source software. -- Lindsay Haisley | "The first casualty when FMP Computer Services | war comes is truth." 512-259-1190 | http://www.fmp.com | -- Hiram W Johnson