Feeds

back to article DNS security improves as firms tool up to tackle spam

Domain name servers on the net are still often vulnerable to attacks despite some marked improvements, according to a new survey. Many organisations are making efforts to install the most recent versions of BIND and eliminate Microsoft DNS for external servers. But most still leave their systems open to denial of service and …

COMMENTS

This topic is closed for new posts.

Without ...

Without recursion, no one would be able to resolve anything.

0
0
Boffin

Bind

Hint: use 'djbdns' instead of BIND. Dan Bernstein, its author, actually *guarantees* its security:

http://cr.yp.to/djbdns/guarantee.html

It can do everything BIND can do (except where BIND violates various RFCs, in which case Dan has maintained compliance).

I have personally compiled and run it on Solaris, Gentoo and FreeBSD. Currently we are running it in production on a second-hand SUN Box running a port of FreeBSD.

0
0
Anonymous Coward

surprise surprise - 123reg offer recursive lookups

It should come as no surprise that ns.123-reg.co.uk. and ns2.123-reg.co.uk currently advertise that they will do recursive lookups. In practice they don't (at least not from my IP) which is probably more luck than planning. However even indicating that they'll do this will generate a bunch of such requests their servers could surely do without and may expose vulnerabilities.

0
0
Anonymous Coward

Well it is too complex and the tools aren't much better.

I've not touched DNSSEC for a while following a RIPE course where my overall impression of DNSSEC was unworkable and I haven't seen anything to make me jump into it since.

Regarding recusion, mapping networks and so on - doesn't DNSSEC have this as part of the proposal, ie: chained records (next, previous etc) ?

0
0
Happy

Not true

Internal servers should be recursive, external should not be recursive. If its the same dns server then it should only recurse for internal networks.

Thats how mine work and everything works just fine.

0
0
Dead Vulture

DNSSEC - done. now waiting

heck, configured SPFa long time ago. configured DNSSEC a long time

ago - now just waiting for all those sites that I peer from to actually catch up.

the problem with both of these technologies is that theres no major change

or improvement to the average end user...until probably the 95 percentile

at which point the last dregs of DNS-based scams and pharming will be done.

oh. the servers are also doing 1/3 of their lookups using IPv6

did this survey check IPv6?

0
0

*guarantees* security?

"Dan Bernstein, its author, actually *guarantees* its security:"

Then he dosn't know much about security then, does he?

0
0

Slight error

"Should an organisation’s DNS systems fail, all internet functions including email, web access, e-commerce, and extranets become unavailable."

Not entirely accurate. Should DNS fail, only those transactions relying on domain names will fail. Most services can continue to work just as well with IPs instead.

It's certainly not the same as all internet functions becoming unavailable.

0
0
Anonymous Coward

It's a Bounty

Surely that's a bounty - not a guarantee?

0
0
This topic is closed for new posts.