Posted on 08/07/2008 12:14:03 PM PDT by Freemeorkillme
Actually, I think there's something more insidious going on here.
BIND is written by ISC. ISC makes it's livelihood off of consulting for BIND. (and other ISC products)
It is not in ISC's interest to build software that is easy to understand. There's no use for BIND consultants if anyone can do it.
DNS isn't rocket science. All it does is take a request for a word and match it up with a number. ISC's implementation of DNS is far too complicated for what it does.
Complicated software (especially configuration) is the bane of security. Hard-to-configure software is hard to secure.
BIND does authoritative DNS, DNS caching, DNS zone transfer and encryption all in one huge binary. The config file is picky, picky, picky about syntax. An incorrect entry will either go ahead and load your data incorrectly or silently refuse to load at all.
I got bit by a BIND flaw back in 1999 at which time I did a lot of research into how such a seemingly simple service could be host to so many security flaws.
And the answer is simple. BIND is a bloated, buggy beast. It's the Windows of DNS software, that is, it's the best known and most used, but completely crap.
Yeah, I've said in the past that if BIND had been done as a piece of Congressional legislation, it would have been called:
The Software Consultants' Full Employment ActNo shite.
That was the first thing I did. I uploaded a host file to his computer, and have him pointed to the old site. Even better, every time he tries to go to microsoft.com, which is probably several time per hour, he's directed to a server that's loaded with popup ads and trojan droppers(his IE won't stand a chance). :p
This is a DNS protocol flaw and spans BIND 8/9, MSDNS, Nominum. It doesn't affect DJBDNS, PowerDNS, and MaraDNS.
Now if someone things the following: “Our DNS servers don’t accept queries from the outside world. They must be safe!”
-Can someone ask them to do an nslookup www.doxpara.com, will they return 157.22.245.20?
-If so, don’t be so sure
I security track record remark I found interesting as it brought back a recent “Banging spoon on highchair” incident of Linus’. Did you catch that a few weeks ago where he called *BSD devs “m*asterbating monkeys”? Some much the educated high-brow discussion of “when’s a security flaw a bug/code flaw” and “aren't all code flaws security holes?”, vice-versa, ad nausea
Don't want to get start a whole DBJDNS v. BIND thing, but I'm with you on your ISC comment. You see ISC+not-for-profit mentioned in the same breath far too often. Configuring BIND is *not* for the faint of heart. Boy, can I attest to that.
Tsk tsk.
nslookup is deprecated. ;)
And "host" is different on nearly every flavor of Unix, if it's there at all. (Solaris 9, I'm looking at you.)
Fortunately there are djbdns client utilities too.
Did you catch that a few weeks ago where he called *BSD devs “m*asterbating monkeys”? Some much the educated high-brow discussion of “when’s a security flaw a bug/code flaw” and “aren't all code flaws security holes?”, vice-versa, ad nausea
Yes. A tempest in a tea pot, to be sure.
Why do all the really gifted coders have to be so misanthropic? It's like they really don't want anyone else to use their stuff.
Bernstein is just as bad. His interpersonal relationship skills are right up there with DeRaadt and Torvalds. But he does write some righteous code.
Don't want to get start a whole DBJDNS v. BIND thing, but I'm with you on your ISC comment. You see ISC+not-for-profit mentioned in the same breath far too often. Configuring BIND is *not* for the faint of heart. Boy, can I attest to that.
Hey, I'm all for options. I'm not going to insist that djbdns is for everyone. People need to use stuff that they are happy with.
But they need to stop using stuff that's broken by design. You don't have to use djbdns, though if you do I'm one of the guys that can help you get it running. But for cryin out loud, use something other than BIND!
$500. that ought to bring out the best! just kidding. I’ve heard about the qmail thing before.
Garde la Foi, mes amis! Nous nous sommes les sauveurs de la République! Maintenant et Toujours!
(Keep the Faith, my friends! We are the saviors of the Republic! Now and Forever!)
LonePalm, le Républicain du verre cassé (The Broken Glass Republican)
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.