Re: question about bind9 from a clueless paranoid
On 20110404_190551, Brian wrote:
> On Mon 04 Apr 2011 at 07:13:57 -0600, Paul E Condon wrote:
>
> > But I can't find any information more recent than 2008 by
> > googling. Surely there have been some more recent developments.
> > What has happened? Surely something has happened, but I find nothing.
>
> The problem you might face will not lie with bind9 but with your router.
> Source port randomization by the name server fixes cache poisoning
> attacks on it. However, it is highly likely your router de-randomises
> the queries due to NAT and PAT. Mine does and I do wonder whether any
> more modern device intended for home use does any better. Data are not
> readily available but it's not unlikely manufacturers see little to gain
> by altering their firmware,
>
> I came to the conclusion there was no risk to the server (unbound in my
> case) as long as the server was not answering queries from outside my
> network. Reassurance would be welcome but I'm pretty sure of that.
>
> Part of my testing was done at
>
> https://www.grc.com/dns/dns.htm
Thanks for this! But there is a lot to read (and hopefully understand)
One specific question: what is mean by 'unbound' in this context?
>
> First with my ISP's servers in /etc/resolv.conf and then replacing them
> with 127.0.0.1 and forwarding port 53 on the router to the machine
> running unbound.
And again here?
Reply to: