Re: question about bind9 from a clueless paranoid

To: debian-user@lists.debian.org
Subject: Re: question about bind9 from a clueless paranoid
From: Brian <ad44@cityscape.co.uk>
Date: Mon, 4 Apr 2011 19:05:51 +0100
Message-id: <[🔎] 20110404180551.GS7935@desktop>
In-reply-to: <[🔎] 20110404131357.GC14745@big.lan.gnu>
References: <[🔎] 20110404131357.GC14745@big.lan.gnu>

On Mon 04 Apr 2011 at 07:13:57 -0600, Paul E Condon wrote:

> But I can't find any information more recent than 2008 by
> googling. Surely there have been some more recent developments.  
> What has happened? Surely something has happened, but I find nothing.

The problem you might face will not lie with bind9 but with your router.
Source port randomization by the name server fixes cache poisoning
attacks on it. However, it is highly likely your router de-randomises
the queries due to NAT and PAT. Mine does and I do wonder whether any
more modern device intended for home use does any better. Data are not
readily available but it's not unlikely manufacturers see little to gain
by altering their firmware,

I came to the conclusion there was no risk to the server (unbound in my
case) as long as the server was not answering queries from outside my
network. Reassurance would be welcome but I'm pretty sure of that.

Part of my testing was done at

https://www.grc.com/dns/dns.htm

First with my ISP's servers in /etc/resolv.conf and then replacing them
with 127.0.0.1 and forwarding port 53 on the router to the machine
running unbound.

Reply to:

Follow-Ups:
- Re: question about bind9 from a clueless paranoid
  - From: Paul E Condon <pecondon@mesanetworks.net>

References:
- question about bind9 from a clueless paranoid
  - From: Paul E Condon <pecondon@mesanetworks.net>

Prev by Date: Re: [OT] English language
Next by Date: Re: Debian was hacked: The Canterbury Distribution
Previous by thread: Re: question about bind9 from a clueless paranoid
Next by thread: Re: question about bind9 from a clueless paranoid
Index(es):
- Date
- Thread