On DNS Security Re: [azipa] DNS flaw discovered]

J.L.Francois jlf@magusnet.gilbert.az.us
Mon, 29 Jan 2001 15:02:07 -0700 


It seems like on Mon, Jan 29, 2001 at 01:14:10PM -0700, Ed Bensinger scribbled:
Orig Msg> http://www.msnbc.com/news/523231.asp?0na=21233717
Orig Msg> 

This is why organizations need to use the right server platforms
as needed and avoid the one size fits all mentality that keeps
getting them into trouble.

It is not about UNIX vs. Linux vs. Windows vs. OS/2 vs. whatever.
This is about using the right tool for the job as needed.

Locking yourself into one platform can sometimes limit your choices.
Having a limited number of choices almost forces your deployment plans
to be dictated by your vendor or available software.

Heteregenous systems may be more work to administer but the flexibility
can be a real cost/security/time saver in the long run for the total
health and viability of your business.
Do you really want all of your systems to have the exact same 
vulnerabilities exposed at once?
Do you really believe that your Internal FIleServer should be configured 
like your MailServer, WebServer, Database Server?
Are they all on the same system inside your organization because you 
are trying to save some money on licenses?
Being cheap^H^H^H^H^Hthrifty can get really expensive when things 
go wrong.

In short: 
How much is being down or getting cracked really going to cost you?
If Microsoft were running AIX,Linux,*BSD, or Solaris along with 
Windows would that flexibility have helped them out?
( Hint: Think Hotmail )

Getting back to doing DNS.

In my case I use Dan Bernsteins DNS:
http://www.djbdns.org
on all my machines with no ill effects to date.
I keep one BIND 4.9.7 system on the side running in a chroot jail
as a "just in case" fallback server.
All access to all nameservers is via proxy for IDS checking.

I tried DENTS:
http://www.dents.org
but it didn't complile cleanly on the multiple platforms I use,
i.e Linux/OpenBSD on Intel/Sparc. YMMV.

Jean Francois - JLF Sends...
President & CEO - MagusNet, Inc., MagusNet.com, MagusNet.Gilbert.AZ.US
MagusNet, Inc. - Design * Develop * Integrate
Internet / Intranet Deployment, SQL Database Access for WWW,
Secure Offsite Data Storage, Disaster Recovery Planning and Management,
UNIX System Security, CGI & SQL programming, UNIX Training, Linux/BSD support,
Proxy/Filtering Firewalls, & UNIX System Administration.