Re: Does blocking TCP DNS packets keep your Bind safe?

[Darren Reed <darrenr () reed wattle id au>]

In some email I received from Todd, sie wrote:
> ben, all,
>
> i have to agree with this sentiment.  because of the well-known "inbound
> traffic problem" that i believe marcus identified and certainly has
> described most adequately, it is necessary to allow some traffic in
> through a firewall, if we want to offer any network-based services.  that
> traffic should be directed to a secure service running on a
> well-administered machine.
>
> dns is certainly one of the services we want to offer.  since the ISC have
> proven that they are incapable of secure coding, we should look at
> alternatives.  thankfully, there is one:  djbdns from dan bernstein is
> secure, extremely fast, and easy to set up and administer.  i'd encourage
> anyone who cares about security and understands the inbound traffic
> problem to seriously consider it.

I think you're taking too hard a line on the ISC there.

BIND is written in C and for better or worse, C is *HARD* to program in
a secure and safe manner, especially when you have an application as large
and complex as BIND is.

The only way to run applications, such as BIND, is as non-root and in a
chroot'd environment.  BIND makes it rather easy to do this.

Maybe sendmail and BIND need to be rewritten in java ? ;)

Darren
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards