[AusNOG] What Caching DNS Resolver Are You (ISPs) Using?

Mark Andrews marka at isc.org
Mon Aug 31 13:50:08 EST 2015


In message <1822177227.3157964.1440983119944.JavaMail.yahoo at mail.yahoo.com>, Ja
mes Mcintosh writes:

> Hi Noggers,
> I'm needing some advice for a fast, secure DNS caching resolver for our
> ISP customers. We're currently using BIND but given I need such a limited
> subset of features I'd like to do away with the legacy and baggage of
> BIND in favour of something simple, fast a secure.
> I've looked at djbdns in the (distant) past but from memory it could only
> be configured ad a forwarder which is not what I want. 
> Happy to look at commercial solutions also.
> Thanks

What legacy baggage do you think there is in BIND?

Named implements the current DNS protocol stack.

Why do you think BIND is insecure?  Is it because we actually check
internal state and fuction arguments and do a controlled exit when
we detect a anomoly rather that continue on and give incorrect
results?  A security advisary does not mean that it is insecure (as
can be compromised).  Yes, doing this means that it can be made to
stop if we have got something wrong.

If named was wrapped by a nanny script that restarts it on error
and many of the advisaries written in the last decade wouldn't
have been issued.

e.g.
	"while ! named ; do : ; done"

We ship one in contrib for os vendors that don't have their own management
service (e.g. launchd).  That said we can't assume that there is a nanny
service in use so we issue a advisary.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org


More information about the AusNOG mailing list