[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: question about bind9 from a clueless paranoid

On Mon 04 Apr 2011 at 07:13:57 -0600, Paul E Condon wrote:

> But I can't find any information more recent than 2008 by
> googling. Surely there have been some more recent developments.  
> What has happened? Surely something has happened, but I find nothing.

The problem you might face will not lie with bind9 but with your router.
Source port randomization by the name server fixes cache poisoning
attacks on it. However, it is highly likely your router de-randomises
the queries due to NAT and PAT. Mine does and I do wonder whether any
more modern device intended for home use does any better. Data are not
readily available but it's not unlikely manufacturers see little to gain
by altering their firmware,

I came to the conclusion there was no risk to the server (unbound in my
case) as long as the server was not answering queries from outside my
network. Reassurance would be welcome but I'm pretty sure of that.

Part of my testing was done at


First with my ISP's servers in /etc/resolv.conf and then replacing them
with and forwarding port 53 on the router to the machine
running unbound.

Reply to: