Well, BIND is up to 28 published security advisories:
http://www.isc.org/sw/bind/bind-security.php#matrix
...which not only have included cache poisoning (2003-0914), but many of
them allowed for arbitrary code execution, often as root.
Ok, then I'll ask the obvious...
For those who are,
The match-destination inspects the DNS address used by the client to
query to determine which view to use. Would this suit your purpose?
Well, yes, it would suit the purpose, but my fear was exactly that of
what Matthew states below about 'leaking'.
I believe that the problem is this:
Steve Bertrand wrote:
I believe that the problem is this: even if configured to be an
authoritative server, BIND will respond to a query about zones
outside what it has authoritative data for with data from its cache
if that data is present. As there is only one cache per instance of
BIND,
On Thu, May 22, 2008 at 08:13:03AM -0400, Steve Bertrand wrote:
The match-destination inspects the DNS address used by the client to
query to determine which view to use. Would this suit your purpose?
Well, yes, it would suit the purpose, but my fear was exactly that of
what Matthew
Jonathan Chen wrote:
If this were true, the view feature would be broken. I've just tried
this with a client-based ACL, and there doesn't appear to any
cache-leaking across views. Any counter-examples would be welcome.
I did this tests too. No leaks found.
;; WARNING: recursion requested
On May 22, 2008, at 1:39 PM, Jonathan Chen wrote:
[ ... ]
If this were true, the view feature would be broken. I've just tried
this with a client-based ACL, and there doesn't appear to any
cache-leaking across views. Any counter-examples would be welcome.
Well, BIND is up to 28 published
Hi everybody,
I am attempting to configure a BIND 9 name server that will be
authoritative for certain domains which will listen exclusively on IPv6.
This same box will also be a caching server for a handful of networks
(IPv6 and IPv4).
The way I have it set up is that the authoritative
Steve Bertrand wrote:
Hi everybody,
I am attempting to configure a BIND 9 name server that will be
authoritative for certain domains which will listen exclusively on IPv6.
This same box will also be a caching server for a handful of networks
(IPv6 and IPv4).
The way I have it set up is
However, how can I make the FreeBSD (7.0) startup scripts load both
instances of BIND, each with it's own configuration?
I did something very similar. Run one of the bind instances in a jail --
especially with a little firewall rdr rules and similar trickery to
redirect
traffic into the
On Wed, May 21, 2008 at 06:52:36PM -0400, Steve Bertrand wrote:
Again, I'd rather do this without jails if possible, and at the same
time, be able to use the built in FBSD startup scripts if possible.
Can you not make use of BIND 9's view features? Possibly each view
using a
Jonathan Chen wrote:
On Wed, May 21, 2008 at 06:52:36PM -0400, Steve Bertrand wrote:
Again, I'd rather do this without jails if possible, and at the same
time, be able to use the built in FBSD startup scripts if possible.
Can you not make use of BIND 9's view features? Possibly each view
On Wed, May 21, 2008 at 08:01:50PM -0400, Steve Bertrand wrote:
Jonathan Chen wrote:
On Wed, May 21, 2008 at 06:52:36PM -0400, Steve Bertrand wrote:
Again, I'd rather do this without jails if possible, and at the same
time, be able to use the built in FBSD startup scripts if possible.
Well, from what I read (I can't remember where), if I use views to do
this with only a single instance running, the problem arises that even
though the 'external' (requests for authoritative answers) clients can
and will get responses from the caching side of the server if the result
they are
On Wed, May 21, 2008 at 10:21:05PM -0400, Steve Bertrand wrote:
[...]
My authoritative name server (service, eventually cluster) will
eventually house about 500 domains, which I want only recursive DNS
servers that come from the root .tld down to see (no caching).
The caching name server
Jonathan Chen wrote:
On Wed, May 21, 2008 at 10:21:05PM -0400, Steve Bertrand wrote:
[...]
My authoritative name server (service, eventually cluster) will
eventually house about 500 domains, which I want only recursive DNS
servers that come from the root .tld down to see (no caching).
The
15 matches
Mail list logo
