Firewall Wizards mailing list archives

RE: Does blocking TCP DNS packets keep your Bind safe?

From: "Behm, Jeffrey L." <BehmJL () bvsg com>
Date: Wed, 28 Mar 2001 07:59:54 -0600

From: Adrian Brinton [mailto:adrian () brinton to]
I think you miss the point... I could go to any of my favorite '31337
warez' sites and download a nice easy to use exploit for BIND.


And so could the developers of BIND, figure out what the exploit does
and fix it (under much more pressure to do so from the amount of people
using BIND).

Actually,
I would have a choice of many, for many versions. I can't say the same
is true for djbdns, regardless if one is better written, more 
secure, or
whatever.


As I see it, your point is that because djbdns isn't in widespread use,
it isn't as "choice" a target as BIND, and therefore doesn't have as
many tools developed (yet) to break it. You don't have to have a
higher "level of interest for people to design exploits" to have
someone break it. It only takes one with enough interest. If you are
willing to accept that, so be it. I am not.

My point was that just because the tools aren't readily available and
fewer people know about it doesn't make it a better product (security
by obscurity). The fact that BIND (or any other product) is in
widespread use typically (but not always!) means that those "nice and
easy" exploits are found, announced, and patched more quickly than
other less used products.

-----Original Message-----
From: Behm, Jeffrey L. [mailto:BehmJL () bvsg com]
Sent: Wednesday, March 21, 2001 11:18 AM
To: firewall-wizards () nfr com
Subject: RE: [fw-wiz] Does blocking TCP DNS packets keep your 
Bind safe?

since there are probably 100x more servers out there in the world 
running BIND, the likelihood of seeing or finding bugs on the 
platform, and the level of interest for people to design 
exploits are both going to be way higher than for a relatively
scarce product like djbdns.

security by obscurity. a valiant, but ineffective means of security.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

RE: Does blocking TCP DNS packets keep your Bind safe?, (continued)
- RE: Does blocking TCP DNS packets keep your Bind safe? brian . sommers (Mar 13)
- Re: Does blocking TCP DNS packets keep your Bind safe? Steven M. Bellovin (Mar 13)
- RE: Does blocking TCP DNS packets keep your Bind safe? Reckhard, Tobias (Mar 15)
- RE: Does blocking TCP DNS packets keep your Bind safe? Loomis, Rip (Mar 16)
  - RE: Does blocking TCP DNS packets keep your Bind safe? Todd (Mar 16)
- RE: Does blocking TCP DNS packets keep your Bind safe? Loomis, Rip (Mar 18)
- RE: Does blocking TCP DNS packets keep your Bind safe? Philip J. Koenig (Mar 19)
- RE: Does blocking TCP DNS packets keep your Bind safe? agetchel (Mar 21)
- RE: Does blocking TCP DNS packets keep your Bind safe? Behm, Jeffrey L. (Mar 22)
- RE: Does blocking TCP DNS packets keep your Bind safe? Adrian Brinton (Mar 27)
- RE: Does blocking TCP DNS packets keep your Bind safe? Behm, Jeffrey L. (Mar 28)