Re: question about bind9 from a clueless paranoid

To: debian-user@lists.debian.org
Subject: Re: question about bind9 from a clueless paranoid
From: Paul E Condon <pecondon@mesanetworks.net>
Date: Wed, 6 Apr 2011 12:20:42 -0600
Message-id: <[🔎] 20110406182042.GA963@big.lan.gnu>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20110406111404.GU7935@desktop>
References: <[🔎] 20110404131357.GC14745@big.lan.gnu> <[🔎] 20110404180551.GS7935@desktop> <[🔎] 20110406052447.GD14745@big.lan.gnu> <[🔎] 20110406111404.GU7935@desktop>

On 20110406_121404, Brian wrote:
> On Tue 05 Apr 2011 at 23:24:47 -0600, Paul E Condon wrote:
> 
> > On 20110404_190551, Brian wrote:
> > > I came to the conclusion there was no risk to the server (unbound in my
> > > case) as long as the server was not answering queries from outside my
> > > network. Reassurance would be welcome but I'm pretty sure of that.
> > > 
> > > Part of my testing was done at
> > > 
> > > https://www.grc.com/dns/dns.htm
> > 
> > Thanks for this! But there is a lot to read (and hopefully understand)
> > One specific question: what is mean by 'unbound' in this context?
> 
> Unbound is a DNS server; an alternative to BIND.

OK, it's a pun ;-). Clueless I am.

>  
> > > First with my ISP's servers in /etc/resolv.conf and then replacing them
> > > with 127.0.0.1 and forwarding port 53 on the router to the machine
> > > running unbound.
> > And again here?
> 
> Forwarding on the router isn't necessary to test the affect the router
> has on Source Port Randomness. Check /etc/bind/named.conf to ensure there
> is no forwarding of DNS requests to another resolver. Edit resolv.conf to
> use only 'nameserver 127.0.0.1'. Start BIND.
> 
To do this usefully, I have to first figure out how to configure my newly
installed instance of BIND9. Correct? I don't think I'm there yet...

> http://entropy.dns-oarc.net/test/
This gave me a passing grade on the dns resolver run by my ISP. 
But there was one duplicate port number in the sample of 25 trys.
Maybe I should not worry, but I'm still curious about how the
system actually works.

Thanks for the pointer. Very fast.

>
> is quicker than grc.com to return a test result. You'll likely get a
> rating of POOR but, assuming queries from the internet are not served,
> your DNS cache cannot be poisoned because there is no access to it from
> the outside.

This contains information that's new to me. You seem to be saying
that my copy of BIND on my computer is building its own internal
cache. I don't see any reason why it couldn't contain a cache, but I
haven't read anywhere that it actually *does* have a cache
internally. Does it contain a cache?

Thanks.

-- 
Paul E Condon           
pecondon@mesanetworks.net

Reply to:

Follow-Ups:
- Re: question about bind9 from a clueless paranoid
  - From: Brian <ad44@cityscape.co.uk>

References:
- question about bind9 from a clueless paranoid
  - From: Paul E Condon <pecondon@mesanetworks.net>
- Re: question about bind9 from a clueless paranoid
  - From: Brian <ad44@cityscape.co.uk>
- Re: question about bind9 from a clueless paranoid
  - From: Paul E Condon <pecondon@mesanetworks.net>
- Re: question about bind9 from a clueless paranoid
  - From: Brian <ad44@cityscape.co.uk>

Prev by Date: Re: Re: Gnome 3
Next by Date: Kernel configuration option "processor family" for core i5
Previous by thread: Re: question about bind9 from a clueless paranoid
Next by thread: Re: question about bind9 from a clueless paranoid
Index(es):
- Date
- Thread