[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: question about bind9 from a clueless paranoid

On Tue 05 Apr 2011 at 23:24:47 -0600, Paul E Condon wrote:

> On 20110404_190551, Brian wrote:
> > I came to the conclusion there was no risk to the server (unbound in my
> > case) as long as the server was not answering queries from outside my
> > network. Reassurance would be welcome but I'm pretty sure of that.
> > 
> > Part of my testing was done at
> > 
> > https://www.grc.com/dns/dns.htm
> 
> Thanks for this! But there is a lot to read (and hopefully understand)
> One specific question: what is mean by 'unbound' in this context?

Unbound is a DNS server; an alternative to BIND.
 
> > First with my ISP's servers in /etc/resolv.conf and then replacing them
> > with 127.0.0.1 and forwarding port 53 on the router to the machine
> > running unbound.
> And again here?

Forwarding on the router isn't necessary to test the affect the router
has on Source Port Randomness. Check /etc/bind/named.conf to ensure there
is no forwarding of DNS requests to another resolver. Edit resolv.conf to
use only 'nameserver 127.0.0.1'. Start BIND.

http://entropy.dns-oarc.net/test/

is quicker than grc.com to return a test result. You'll likely get a
rating of POOR but, assuming queries from the internet are not served,
your DNS cache cannot be poisoned because there is no access to it from
the outside.
Reply to: