BIND recursive resolver exploit?
Rick Moen
rick at linuxmafia.com
Fri Aug 1 17:37:50 PDT 2008
I wrote:
> The obvious way to protect resolver libraries against even that much of
> a threat is to have /etc/resolv.conf point to a _local_
> recursive-resolver nameserver via 127.0.0.1, and ensure that the
> nameserver software package is one that randomises _its_ source ports
> for recursive-resolver queries: BIND9's July 8th "P1" patches, djb's
> dnscache, PowerDNS Recursor, MaraDNS, or Unbound.
After re-researching this matter for the impending August issue of
_Linux Gazette_, I still ended up with that same list, and detailed
them briefly in a sidebar as follows:
o BIND9: The only one yr. humble servant has used extensively.
Maddeningly slow, bloated, overfeatured monolithic binary (optionally
doing all other conceivable types of nameservice, as well). Cryptic
and brittle (but "standard", for better or worse) configuration and
zonefile formats.
o Unbound: By design, excellent in all areas where BIND9 is
lackluster. The only obvious problem is that it's brand-new --
which, in security-sensitive code, is a point of concern.
o PowerDNS Recursor: Dedicated recursor component (newly made
available separately) of the respected do-it-all PowerDNS package.
Probably requires a SQL database for back-end storage. Fast.
PowerDNS as a whole -- but I'm not sure how much of this applies
to the separately packaged recursor -- is somewhat bloated, has an
over-large tree of required libraries and other dependencies), and
has a fair (but not stellar) reputation for security.
o dnscache: Dan Bernstein's caching recursive-resolver, part of the
djbdns suite, and the first to randomise source ports as a security
precaution. Eccentric style of coding and operation. (Let me just
leave it at that.) Unsurpassed security history. Said to be a bit
of a challenge to set up, and at present you must immediately patch
it to compensate for Dan not having maintained it since 2001. Has
problems resolving some domains (such as Akamai), and in general
is by design a bit underfeatured, which accounts in part for
both its superb security history and its problem areas.
o MaraDNS: Lightweight, fast, and well-maintained. Like BIND9, does
all conceivable DNS roles, but without the bloat. Excellent security.
More information about the Baylisa
mailing list