[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Using BIND in a chroot enviro?

> forget it.
> 1. non-free

Certainly, that is something to consider, if your prejudice is that way
bent.  I tend to judge software more on its technical merit than on its
distribution policies.  At any rate, maradns is of similar design, and it
is DFSG compliant, if you want yet another alternative.

> 2. author write like "alle shit then my"

Uh, sure.

> it can't resolv over tcp witch is need if payload break a spezified
> length limit
> also bind9 can make this also

You clearly don't understand what this person was asking for, or what
dnscache is capable of.  There seem to be a lot of people waving the 53/tcp
flag lately like its some kind of huge bogon that you have to watch out for
when you're building your firewall rules.  I assure you, its not, its
really quite simple.  If, like the person who started the thread, you are
simply trying to utilize a local caching resolver to speed up your DNS
queries, you don't need to worry about port 53 on your external interface
AT ALL and you can completely firewall it off.  If your upstream ISP only
accepts queries from source port 53, they are stupid and you'd be best off
finding a better ISP, or just doing all the resolving yourself (probably
more secure that way anyhow depending on how much you trust your upstream's
DNS cache configuration).

If, on the other hand, you are serving DNS records to the world at large,
you already know perfectly well if you have records over 512 bytes that
will require tcp transport or not, or if you need to allow zone transfers
to outside parties, so the question of if you need to allow 53/tcp is
already decided, all you have to do is recognise that fact.

Jamie Heilman                   http://audible.transient.net/~jamie/
"It's almost impossible to overestimate the unimportance of most things."
							-John Logue

Reply to: