On 23 Sep 2016, at 16:10, Lindsay Haisley wrote:
On Fri, 2016-09-23 at 15:28 -0400, Bill Cole wrote:
As much as I love BIND (no, seriously, I do) it's very hard to
recommend
it as the first choice for a simple recursive resolver.
Setting up bind as a "simple recursive resolver" is simplicity itself.
Simplicity is generally a subjective, relative quality.
Start Unbound with literally no explicit configuration and you get a
working, safe, reasonably-configured resolver for localhost: the simple
sort of resolver that a plurality of freestanding mail servers should
have, perfect as a fix for the mistake of using dnsmasq locally. It's
very hard to typo a config that doesn't exist.
acl goodclients {
1.2.3.0/24;
4.5.6.0/24;
127.0.0.1;
etc....
};
options {
......
recursion yes;
allow-query { goodclients; };
etc...
};
That's more than most mail server resolvers need and the real devil is
in what could be in those ellipses...
Almost every week on this list you can see examples of people who are
nominally and operationally sysadmins who have followed poor config
advice found in dubious corners of the net or even on stale pages of the
SA wiki, and the same class of error is a big risk of using BIND because
of its age and breadth of capability. On a more theoretical level, the
fact that BIND is able to do virtually anything that anyone would ever
want to do with a DNS server means that it is has a broader potential
attack surface in itself and is a richer prize if hijacked, either
directly or as a consequence of a general system compromise.
In short: BIND offers more paths to more high-risk and failure modes
than Unbound, probably more than any other DNS server.
That's not a general indictment of BIND, which I use myself on many
systems where it's needed or is a properly configured incumbent on a
stable system.
