DNS recommendations

we're looking to have a cache & forward DNS server that will host all of our
internal DNS and forward/cache any requests beyond what it serves up.

Bind looks like it will do all we need, but we've heard a number of security
concerns with bind.

Any recommendations on something that can handle a large scale (1,000+ zone
files) deployment that is also fairly secure?

Thanks!

"/dev/null" <(E-Mail Removed)> writes:

> Bind looks like it will do all we need, but we've heard a number of security
> concerns with bind.

Ancient history. There may have been one security-related upgrade in the
last year or so, with Bind, at least bind-9.x which is what counts, anyway.

> Any recommendations on something that can handle a large scale (1,000+ zone
> files) deployment that is also fairly secure?

Bind will do the first part; chances are other things will. The latter is
up to you - there's a vast arsenal of things you can do to make a service
more secure:

a) specific user (-u)
b) chroot jail (-t)
c) CFLAGS="-fstack-protector" (and other random optimization things that
are unlikely to appear in a standard packaged version)
d) a good stateful iptables firewall allowing TCP access only to known
secondary NSes
d) GRSecurity kernel patch to lock-down behaviour within chroot and stop it
from making outgoing client socket connections at all
e) check for updates EVERY DAMN DAY.
f) run the whole thing with libsafe or electricfence
g) IDS and nIDS
h) hide the version-string
i) restrict zone-xfers to secondary NSen only
j) good backup strategy

See. Plenty you can do, that makes the choice of daemon pretty much
irrelevant.

~Tim
--
18:37:08 up 114 days, 3:17, 0 users, load average: 0.11, 0.07, 0.01
(E-Mail Removed) |The light of the world keeps shining,
http://spodzone.org.uk/cesspit/ |Bright in the primal glow

/dev/null wrote:

> we're looking to have a cache & forward DNS server that will host all of
> our internal DNS and forward/cache any requests beyond what it serves up.
>
> Bind looks like it will do all we need, but we've heard a number of
> security concerns with bind.
>
> Any recommendations on something that can handle a large scale (1,000+
> zone files) deployment that is also fairly secure?
>
> Thanks!

Bind 9 is pretty good. I think you are talking about version 8 and 4. There
are many thing to do to lock it down. Just do a search on BIND 9. I would
also optimize my server for network throughput. I have no idea what OS you
use. I use FreeBSD with Bind 9. I have not had any problems. I occasionally
get someone trying to probe the version. You can lock that down to.

-- Michael

[Cross-post eliminated in follow-ups.]

In comp.os.linux.security /dev/null <(E-Mail Removed)> wrote:
> we're looking to have a cache & forward DNS server that will host all of our
> internal DNS and forward/cache any requests beyond what it serves up.

So, just to clarify, you need (1) caching forwarder nameservice, and (2)
authoritative nameservice. Those are logically separate needs, and some
would recommend running different best-of-breed daemons for each.

> Bind looks like it will do all we need, but we've heard a number of security
> concerns with bind.

As others have noted, take care not to confuse the security problems of
BIND4 / BIND8 with the entirely separate existence of BIND9, which was a
from-scratch rewrite to the protocol and configuration/zonefile specs.

> Any recommendations on something that can handle a large scale (1,000+ zone
> files) deployment that is also fairly secure?

Please have a look at my (I hope) complete list of DNS nameserver
options for Linux: "DNS Servers" on http://linuxmafia.com/kb/Network_Other .
Warning: You will very definitely need to run a pilot project prior to
full deployment. Please do not just trust my page's descriptions: I am
going in almost all cases by the contents of sundry descriptive Web
pages, which may be inaccurate or omit crucial data.

--
Cheers, Chag orim same'ach.
Rick Moen (Happy festival of lights.)
(E-Mail Removed)

You could try using djbdns ( http://cr.yp.to/djbdns.html ). It was written
by D. J. Bernstein, who wrote qmail among other things, but he's really
into security. I think he's offering $500.00 US to the first person who
can find a security hole in it, the software's been around for almost 5
years and nobody's collected the reward yet...


Stu

/dev/null wrote:

> we're looking to have a cache & forward DNS server that will host all of
> our internal DNS and forward/cache any requests beyond what it serves up.
>
> Bind looks like it will do all we need, but we've heard a number of
> security concerns with bind.
>
> Any recommendations on something that can handle a large scale (1,000+
> zone files) deployment that is also fairly secure?
>
> Thanks!

Stu <(E-Mail Removed)> writes:
>
>> Thanks!
>>
>> zone files) deployment that is also fairly secure?
>> Any recommendations on something that can handle a large scale (1,000+
>>
>> security concerns with bind.
>> Bind looks like it will do all we need, but we've heard a number of
>>
>> our internal DNS and forward/cache any requests beyond what it serves up.
>> we're looking to have a cache & forward DNS server that will host all of
>
>/dev/null wrote:
>
>Stu
>
>
>years and nobody's collected the reward yet...
>can find a security hole in it, the software's been around for almost 5
>into security. I think he's offering $500.00 US to the first person who
>by D. J. Bernstein, who wrote qmail among other things, but he's really
>You could try using djbdns ( http://cr.yp.to/djbdns.html ). It was written

Providing you can tolerate the author's attitude, that is.


--
"The road to Paradise is through Intercourse."
[email me at huge [at] huge [dot] org [dot] uk]

[Followups trimmed.]

In comp.os.linux.security Huge <(E-Mail Removed)> wrote:

[djbdns:]

> Providing you can tolerate the author's attitude, that is.

Not liking an author is a poor criterion for choosing software, in my
view. Not liking the proprietary djbdns package's design and
implementation, on the other hand, is a fine one.

http://linuxmafia.com/~rick/faq/inde...page=warez#djb

--
Cheers, "By reading this sentence, you agree to be bound by the
Rick Moen terms of the Internet Protocol, version 4, or, at your
(E-Mail Removed) option, any later version." -- Seth David Schoen