On Thu, 01 Feb 2001, Darren Coleman wrote:
> We've all managed to survive using BIND for the past x years - I don't see
> what has radically changed overnight. It's taken as given nowadays that
> large, complex systems/software contain bugs, exploits, overflows.. etc etc.
> The fact that "the majority" (I would hazard 90%+) of the DNS servers on the
> Internet are using BIND, and there has been few *serious* incidents
> (considering how much exposure the software gets, the considerable variances
> in load it is placed under (ie. ISC's own rootserver serving over 272
> million queries per day (by ISC's own estimations)), etc) goes to show that
> as software goes, BIND is pretty solid.
>
I guess you've never been rooted through bind then.
I've lost count of the number of incidents I've dealt with on my own and my
customer's boxes that involved named exploits as the initial entry vector.
Chrooted, etc... doesn't matter, still massively insecure... they've all had
serious holes, and widely distributed and used exploits. I put named right up
with httpd, ftpd, and rpc as one of the most exploited services.... hardly
something to call solid.
As far as the ISC's long-term security track record... I've also dealt with
some security incidents involving their DHCP software too. :-)
2-3 years ago, I had one box in my own office right next to my desk that was
rooted three times over the space of 6 months through bind - with different
exploits each time. Maybe I have a different definition of serious than you
do.... Wasn't named how one 17 year old kid from one of the nordic
European countries took over 17,000+ (!) computers a while back? That sounds
serious enough to me.
Not only is it NOT solid according to past record.... configuring it is arcane
and the majority of installs I encounter are broken in one fashion or another.
bind = malware by design apparently.
I differ with your opinion on bind security, and the fact that 90% of the
internet runs the same named software sounds like a problem to me. As I said...
monoculture. A single point of failure waiting to happen. What happens to 90%
of the net when the next bind9.x worm caries "rm -rf /" set up to execuite at a
certain time as its payload?
As a response to Mr. Vixie: Yes, bind9.1, the proprietary, commercial, closed
source software version of named by the ISC, with its planned, for-pay,
inner-circle, CVS servers is a cleaner bit of software(or at least it looks
like it from a quick browse through the code). And as a ground up rewrite, we'll
see the security track record of this fresh code soon enough... :-P But I
still think there should be a widely used alternative, and that the ISC is
making a grave error by closing the sources/CVS and limiting the distribution
of security information via non-disclosure agreements for something that many
don't have any choice but to use....
For the record, I use djb-dns on production systems because I've spent too much
time reinstalling systems rooted because of bind. I make no warranties
that it is more secure than bind, but it does have the advantange of
simply being different. And there is no cabal hoarding security info for
it. Djb-dns is mostly good stuff (other than some magic numbers and sparsely
commented code), however the license that prevents the distribution of patches,
modifications, or derivatives by anyone except DJB is a problem with its
inclusion in a distribution. I'm told that several people have tried to get
Mr. Bernstein to soften his stance on this but he remains adamant.
I'm also told the OpenBIND domain was registered yesterday... :-) They can count
on me as a developer and future user, whomever the members of that group turn
out to be, if Mr. Vixie presses on with his "bind-members" idea in light of
all the negative sentiments it has stirred up....
>From all the sympathetic mail comments I have received as a result of this
discussion I know I'm not alone in holding these opinions. The ratio of
people I've heard from that seem to be in agreement vs. dissenting seems
to be roughly 10:1 to me. Hardly a scientific poll, but to me that says that the
ISC is going against the wishes of its user base on the internet with these
plans, driven by their commercial desires to increase their development dollar
coffers. Maybe in the end it will all be for the better, as they alienate
enough of their user base to drive them to develop another alternative, and in a
fashion, the problem will be fixed.
cheers,
--dr
--
Dragos Ruiu <[EMAIL PROTECTED]> dursec.com ltd. / kyx.net - we're from the future
gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc
http://cansecwest.com
CanSecWest/core01: March 28-30, Vancouver B.C. ------------^
Speakers: Renaud Deraison/Nessus Attack Scanner, Martin Roesch/Snort/Advanced IDS,
Ron Gula/Enterasys/Strategic IDS, Dug Song/Arbor Networks/Monkey in the Middle,
RFP/Whisker2.0 and other fun, Mixter/2XS/Distributed Apps, Theo DeRaadt/OpenBSD,
K2/w00w00/ADMutate, HD Moore/Digital Defense/Making NT Bleed, Frank Heidt/@Stake,
Matthew Franz/Cisco/Trinux/Security Models, Fyodor/insecure.org/Packet Reconaissance,
Lance Spitzner/Sun/Honeynet Fun, Robert Graham/NetworkICE/IDS Technology Demo,
Kurt Seifried/SecurityPortal/Crypto: 2-Edged Sword, Dave Dittrich/UW/Forensics,
Sebastien Lacoste-Seris & Nicolas Fischbach/COLT Telecom/Securite.Org/Kerberized
SSH Deployment, Jay Beale/MandrakeSoft/Bastille-Linux/Securing Linux
