[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A rookie question on BIND &/| name servers

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: A rookie question on BIND &/| name servers
From: Henning Brauer <lists-openbsd_(_at_)_bsws_(_dot_)_de>
Date: Thu, 1 Mar 2001 15:25:54 +0100
Mail-followup-to: misc_(_at_)_openbsd_(_dot_)_org

On Thu, Mar 01, 2001 at 05:58:43AM -0800, J.C. Roberts wrote:
> On Thu, 01 Mar 2001 13:50:36 +0100, you wrote:
> >I don't quite trust his [Dan Bernstein's]
> >software for a number of reasons, YMMV. 

speculation. show us a single bug.

> >BIND has had its share of 
> >security problems, but as long as you keep up to date on any patches for 
> >the version you run and monitor your machine for any sign of problems, I 
> >feel you should be OK.

and with djbdns you don't need to update every few weeks and can sleep very
well. there are still lots of bugs in bind never fixed, just try to resolve
www.monty.de through bind 8.2.x - you can't. dnscaches resolves it just fine.

> I've been doing some reading on "djbdns" and "dnscache" by Dan
> Bernstien (qmail) and you're not the first person to mention not
> trusting his code... -Is there some piece of bugtraq history that I
> haven't been able to find?

There is no bugtraq history for any Bernstein software worth mentioning.
there is an qmail DoS legend on misconfigured systems. it does NOT affect
proper configured systems. There is no bugtraq message regarding djbdns.
There is no reason not to trust Dan's code. He offers a 500$ award for the
first person finding a security bug in qmail or djbdns. qmail is out since
1998 and there is still no known security bug. djbdns is out since 2000 and
there is no security bug.
read Dan's code. If you can read C you will be impressed.

> I was thinking about the dnscache but after reading the following...
> 
> http://cr.yp.to/djbdns/dnscache.html
> -----------------------------------------------------------------------
> dnscache uses a fixed-size table, under 256K, to keep track of as many
> as 200 simultaneous UDP queries and 20 simultaneous TCP connections.
> It also dynamically allocates memory, usually just a few bytes but
> occasionally much more, for each active query. If it runs out of
> memory handling a query, it discards that query.
> -----------------------------------------------------------------------
> 
> I started having second thoughts. When a web browser loads a page with
> a lot of images, it spawns a lot of connections. I'm not sure if all
> of these connections need to be resolved by DNS but they might be. 

They don't need to be normally.

> I
> don't know whether or not the DNS resolution is being done via udp or
> tcp but with just a hand full of users, saturating the larger 200
> simultaneous connections on dnscache seems fairly probable.

The 200 simultaneous query limit is an ressource limit to prevent dnscache
from eating up all your machines cpu time, network connections and so on.
there are also hard memory limits. There are no limits in BIND, BIND will
happily eat up all your memory under DoS.
You can run a few thousand very busy workstations behind a single dnscache
before reaching the 200 query limit. If the query should ever be reached
(very uncommon)  the oldest outstanding query will be dropped because it is
most likely unresolveable. 
The 200 query limit and the memory limits are good things (tm) to prevent
ressource exhaustion attacks against your machine. BIND does not prevent you
against this. And all limits are configurable.

> The people putting together OpenBSD put BIND 4.x in there for a reason
> and they obviously know a vast amount more than I do. Since I'm not
> going to be serving names publicly, I'd guess BIND security is less of
> an issue because I can (should be able to :) block outside access to
> it with IP Filter.

Thats not the issue, BIND has some stupid creditebility rules causing BIND
not to use up-to-date glue records sometimes, is slow on resolving, hits the
root servers more often than dnscache and is simply bad coded. The OpenBSD
version of BIND4 is IMHO the best available BIND-version, but dnscache is
the better resolver in most cases.

> I'm going to find and read the HOW-To you mentioned and ponder the
> decision until I learn more about both of them.

Don't forget
http://cr.yp.to/djbdns/ad/unbind.html
http://cr.yp.to/djbdns/notes.html
http://cr.yp.to/djbdns/forgery.html
http://www.lifewithdjbdns.org/

The reason for BIND being part of OpenBSD is historic. All the BSDs use some
software to whom better alternatives exist, the most popular example is
sendmail.

Greetings

Henning

-- 
Henning Brauer     | BS Web Services
Hostmaster BSWS    | Roedingsmarkt 14
hostmaster_(_at_)_bsws_(_dot_)_de | 20459 Hamburg
http://www.bsws.de | Germany

References:
- A rookie question on BIND &/| name servers
  - From: J.C. Roberts

Prev by Date: RE: IPNat and 1 interface
Next by Date: RE: A rookie question on BIND &/| name servers [OT]
Previous by thread: A rookie question on BIND &/| name servers
Next by thread: Re: A rookie question on BIND &/| name servers
Index(es):
- Date
- Thread

Visit your host, monkey.org