[rescue] Tricking DNS

Loomis, Rip rescue at sunhelp.org
Mon Oct 22 10:09:46 CDT 2001


All--
1.  I've been using BIND 9 operationally for over a year
	now.  No question that 9.1.3 is production quality.
	I know of several TLDs that have it as part of their
	mix for authoritative servers, and are currently
	phasing out BIND 8 (to be complete by ~April 2002)
2.  "ndc" used to be a basic shell script, then became
	a basic compiled program--but "rndc" (the replacement)
	is all that *plus* a bag of chips.  You can control
	your nameservers securely from a remote system,
	with TSIG (shared secret HMAC-MD5) for authentication.
	Or you can do it on the local system.  (There's
	even a default behavior in 9.1.3 so that rndc can
	work with some very minimal hand-holding, as opposed
	to the "bitching about key generation" problem that
	Bill experienced in previous versions.)
3.  It *is* a drop-in upgrade from BIND 8 in 95% of the
	cases I've seen, and the other 5% need only about
	three pages of instructions.  I've got those instructions,
	plus the steps to get signed zones and all the other
	new features working.
4.  Most importantly, if you care about security, 9.x is
	actually written with maintainable code.  Every time
	someone tries to fix 8.x anymore, it's like starting
	to pull a thread on a sweater and next thing you
	know it falls apart into a pile of yarn on the floor.

*Don't* use the BIND that's included with Solaris, whatever
you do, unless you have someone holding a gun to your head.
Historically, it has taken Sun anywhere from 4 to 24 weeks
to get patches out for "their" BIND implementations--and that's
an unacceptable window of vulnerability.  As with Sendmail,
if you need the functionality then use the latest stable
and secure release, rather than sticking with the Sun version.

*Anyone* who wants help on upgrading BIND 8 to BIND 9, please
let me know...this means you, Bill.  I'm doing DNS security
work more-or-less full time (and have been for over two years
now)...and BIND 9 is the only valid solution for many of
the issues out there.  If you think it's not for you, then
I may be able to change your mind.

As for how to cause a web browser to not load random ad crap,
I strongly recommend the combination of Junkbuster and
Squid.  Works for me at home (internal systems just try to go to
port 80 on remote systems, which gets transparently redirected
to Squid, which uses Junkbuster as a filter on all queries.)

--
Rip Loomis
Senior Systems Security Engineer
SAIC Center for Information Security Technology 

> -----Original Message-----
> From: Bill Bradford [mailto:mrbill at mrbill.net]
> On Mon, Oct 22, 2001 at 10:38:49AM -0400, Kevin Loch wrote:
> > Btw, I highly recommend everyone use Bind9 instead of 
> Bind4/8/the one
> > in Solaris.
> 
> EWW.  
> 
> I *still* dont consider bind9 to be "production quality" for 
> the following
> reasons:
> 
> 1.  No 'ndc'
> 2.  Last time I tried to install it, it kept bitching about no 
>     key generated , etc - and there was no clear info in the 
> documentation
>     on *how* to do it
> 3.  Certainly not "drop-in" upgrade from BIND8.
> 
> I just compile the latest BIND8 variant on all my boxes.  If 
> anybody has
> suggestions on how to *easily* upgrade to BIND9 properly, 
> please let me
> know (and I'm not a "bind newbie" by any means - i've been 
> setting it up
>  and doing DNS at large ISPs and companies for *years*..)
> 



More information about the rescue mailing list