Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Does blocking TCP DNS packets keep your Bind safe?

From: Todd <todd () unm edu>
Date: Sun, 11 Mar 2001 19:37:06 -0700 (MST)
ben, all,

i have to agree with this sentiment.  because of the well-known "inbound
traffic problem" that i believe marcus identified and certainly has
described most adequately, it is necessary to allow some traffic in
through a firewall, if we want to offer any network-based services.  that
traffic should be directed to a secure service running on a
well-administered machine.

dns is certainly one of the services we want to offer.  since the ISC have
proven that they are incapable of secure coding, we should look at
alternatives.  thankfully, there is one:  djbdns from dan bernstein is
secure, extremely fast, and easy to set up and administer.  i'd encourage
anyone who cares about security and understands the inbound traffic
problem to seriously consider it.

todd

On Mon, 12 Mar 2001, Ben Nagy wrote:


Date: Mon, 12 Mar 2001 09:27:08 +1030
From: Ben Nagy <ben.nagy () marconi com au>
To: firewall-wizards () nfr net
Subject: RE: [fw-wiz] Does blocking TCP DNS packets keep your Bind safe?

So, in summary:

Why not avoid seeing how much we can screw with stuff before it breaks and
just work on not having BIND suck? We need TCP responses. If your DNS server
can't handle them securely, get a NEW one.

Personally, not using BIND is my solution at the moment.

(Maybe the IETF's DNSSec stuff will make it aaaaaaalllll better?)

Cheers,

--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520  PGP Key ID: 0x1A86E304



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: