[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: bind: mine or my ISP's? (was: what's internet-zahav and NV'snameservers?)




On Sun, 17 Jan 1999, guy keren wrote:

> actually, 3 options:
> 
> 1. edit your '/etc/resolv.conf' and write in the address of one (or more)
>    nameserver of your ISP.
> 
>    advantage: as frodo said, more secure (running bind makes your machine
>               vulnarable to its security holes). less memory resources
>               taken on your machine.
>    disadvantage: each and every network access made by a client on your
>                  machine will result two network accesses - one to the
>                  ISP's nameserver, and one to the remote system.

BIND 8  is pretty secure, and you can disable its listening on undesired
ports (i.e. answering only for localhost for instance). I was just at a
good security lecture 2 weeks ago (given by Jim Dennis, Answer Guy on the
Linux Gazette) and he claims that dialups are definitly BEING scanned by
hackers, and are hacked into, and he says it really is worth your while to
take 15 minutes to set up some firewalling rules. I'd simply block port
53/tcp for incoming connections and forget about over half your worries,
then I think there is a way to nicely block DNS responses from servers you
have not queried, etc.

> 2. install bind in a full version, and edit your '/etc/resolv.conf' file,
>     adding '127.0.0.1' (your local host's address) there.
> 
>   disadvantages: security risk (a-la frodo's remarks). taking up more
>              memory resources on your local PC. initial name lookups
>              are slower then in the first case, since the whoole lookup

difference in first lookup time is under 1ms, I wouldn't even give it a
thought, and as for memory... I have a busy server here, main DNS of the
intranet, and it's only 1.3 megs in memory. that's a good sacrifice for a
faster name resolution on dialups, especially with 32 megs and up of
system memory, and then it would probably take less memory too (how much
does it take on YOUR machine?)

-- 
Ira Abramov ;  whois:IA58  ;  www.scso.com ;  all around Linux enthusiast 
`When you say "I wrote a program that crashed Windows", people just stare
at you blankly and say  "Hey, I got those with the system,  *for free*".'
                                                         (Linus Torvalds)