Firewall Wizards mailing list archives
RE: Does blocking TCP DNS packets keep your Bind safe?
From: "Behm, Jeffrey L." <BehmJL () bvsg com>
Date: Wed, 28 Mar 2001 07:59:54 -0600
From: Adrian Brinton [mailto:adrian () brinton to] I think you miss the point... I could go to any of my favorite '31337 warez' sites and download a nice easy to use exploit for BIND.
And so could the developers of BIND, figure out what the exploit does and fix it (under much more pressure to do so from the amount of people using BIND).
Actually, I would have a choice of many, for many versions. I can't say the same is true for djbdns, regardless if one is better written, more secure, or whatever.
As I see it, your point is that because djbdns isn't in widespread use, it isn't as "choice" a target as BIND, and therefore doesn't have as many tools developed (yet) to break it. You don't have to have a higher "level of interest for people to design exploits" to have someone break it. It only takes one with enough interest. If you are willing to accept that, so be it. I am not. My point was that just because the tools aren't readily available and fewer people know about it doesn't make it a better product (security by obscurity). The fact that BIND (or any other product) is in widespread use typically (but not always!) means that those "nice and easy" exploits are found, announced, and patched more quickly than other less used products.
-----Original Message----- From: Behm, Jeffrey L. [mailto:BehmJL () bvsg com] Sent: Wednesday, March 21, 2001 11:18 AM To: firewall-wizards () nfr com Subject: RE: [fw-wiz] Does blocking TCP DNS packets keep your Bind safe?since there are probably 100x more servers out there in the world running BIND, the likelihood of seeing or finding bugs on the platform, and the level of interest for people to design exploits are both going to be way higher than for a relatively scarce product like djbdns.security by obscurity. a valiant, but ineffective means of security.
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Does blocking TCP DNS packets keep your Bind safe?, (continued)
- RE: Does blocking TCP DNS packets keep your Bind safe? brian . sommers (Mar 13)
- Re: Does blocking TCP DNS packets keep your Bind safe? Steven M. Bellovin (Mar 13)
- RE: Does blocking TCP DNS packets keep your Bind safe? Reckhard, Tobias (Mar 15)
- RE: Does blocking TCP DNS packets keep your Bind safe? Loomis, Rip (Mar 16)
- RE: Does blocking TCP DNS packets keep your Bind safe? Todd (Mar 16)
- RE: Does blocking TCP DNS packets keep your Bind safe? Loomis, Rip (Mar 18)
- RE: Does blocking TCP DNS packets keep your Bind safe? Philip J. Koenig (Mar 19)
- RE: Does blocking TCP DNS packets keep your Bind safe? agetchel (Mar 21)
- RE: Does blocking TCP DNS packets keep your Bind safe? Behm, Jeffrey L. (Mar 22)
- RE: Does blocking TCP DNS packets keep your Bind safe? Adrian Brinton (Mar 27)
- RE: Does blocking TCP DNS packets keep your Bind safe? Behm, Jeffrey L. (Mar 28)