Domain name servers on the net are still often vulnerable to attacks despite some marked improvements, according to a new survey. Many organisations are making efforts to install the most recent versions of BIND and eliminate Microsoft DNS for external servers. But most still leave their systems open to denial of service and …
Without recursion, no one would be able to resolve anything.
Hint: use 'djbdns' instead of BIND. Dan Bernstein, its author, actually *guarantees* its security:
It can do everything BIND can do (except where BIND violates various RFCs, in which case Dan has maintained compliance).
I have personally compiled and run it on Solaris, Gentoo and FreeBSD. Currently we are running it in production on a second-hand SUN Box running a port of FreeBSD.
surprise surprise - 123reg offer recursive lookups
It should come as no surprise that ns.123-reg.co.uk. and ns2.123-reg.co.uk currently advertise that they will do recursive lookups. In practice they don't (at least not from my IP) which is probably more luck than planning. However even indicating that they'll do this will generate a bunch of such requests their servers could surely do without and may expose vulnerabilities.
Well it is too complex and the tools aren't much better.
I've not touched DNSSEC for a while following a RIPE course where my overall impression of DNSSEC was unworkable and I haven't seen anything to make me jump into it since.
Regarding recusion, mapping networks and so on - doesn't DNSSEC have this as part of the proposal, ie: chained records (next, previous etc) ?
Internal servers should be recursive, external should not be recursive. If its the same dns server then it should only recurse for internal networks.
Thats how mine work and everything works just fine.
DNSSEC - done. now waiting
heck, configured SPFa long time ago. configured DNSSEC a long time
ago - now just waiting for all those sites that I peer from to actually catch up.
the problem with both of these technologies is that theres no major change
or improvement to the average end user...until probably the 95 percentile
at which point the last dregs of DNS-based scams and pharming will be done.
oh. the servers are also doing 1/3 of their lookups using IPv6
did this survey check IPv6?
"Dan Bernstein, its author, actually *guarantees* its security:"
Then he dosn't know much about security then, does he?
"Should an organisation’s DNS systems fail, all internet functions including email, web access, e-commerce, and extranets become unavailable."
Not entirely accurate. Should DNS fail, only those transactions relying on domain names will fail. Most services can continue to work just as well with IPs instead.
It's certainly not the same as all internet functions becoming unavailable.
It's a Bounty
Surely that's a bounty - not a guarantee?