[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bind: mine or my ISP's? (was: what's internet-zahav and NV's nameservers?)




On Fri, 15 Jan 1999, shaul wrote:

> An alternative to using /etc/resolv.conf is installing and configurating
> bind, isn't it ?

yes, it's an option, but.... (see below) btw, you always use
/etc/resolv.conf - it tells your programs which name server to use,
whether it is running on your local machine, or on a remote system.

> Can someone compare these 2 options ?

actually, 3 options:

1. edit your '/etc/resolv.conf' and write in the address of one (or more)
   nameserver of your ISP.

   advantage: as frodo said, more secure (running bind makes your machine
              vulnarable to its security holes). less memory resources
              taken on your machine.
   disadvantage: each and every network access made by a client on your
                 machine will result two network accesses - one to the
                 ISP's nameserver, and one to the remote system.

2. install bind in a full version, and edit your '/etc/resolv.conf' file,
    adding '127.0.0.1' (your local host's address) there.

  advantage: every address you access a second time will only result one
             network conection, as your local name server will store its
             address in cache after the first time it resolved it.
  disadvantages: security risk (a-la frodo's remarks). taking up more
             memory resources on your local PC. initial name lookups
             are slower then in the first case, since the whoole lookup
             needs to be directly between your system and the remote
             nameservers (and one lookup usually requires accessing
             at least 2 network accesses - one to one of the 'root' name
             serves, to find the name server of the requested domain. the
             other to that name server, to find the address of the
             requested machine.).
             also, this is more complex to set-up then option 1.

3. install bind in a 'forwarding caching-only' configuration, and edit
   your '/etc/resolv.conf' file to point to your local host as the name
   server (as in option 2). a forwarding name server is told to send all
   the DNS request to a given name server, while caching the results
   received from this server.

   advantages: lookup times (first lookup, as well as a repeated lookup)
               faster then two other options.

   disadvantages: takes more memory resources
                  then option number 1, but not a very large ammount,
                  assuming you reboot your system sometimes...
                  harder to configure then option 1. again, the same
                  security problem frodo mentioned.

now, my personal opinion: try out option number 3, with a version of bind
that is not yet known to be vulnerable. when i used it (before the last
time i re-installed the system and got too lazy to install it again), it
makes network surfing slightly faster. this is a subjective feeling, as i
never tried to properly measure the time difference.

on the other hand, if you get all messed up with setting bind up, or if
you don't follow the proper security mailing lists, it's better to stick
to option number 1.

guy