back to article DNS security improves as firms tool up to tackle spam

Domain name servers on the net are still often vulnerable to attacks despite some marked improvements, according to a new survey. Many organisations are making efforts to install the most recent versions of BIND and eliminate Microsoft DNS for external servers. But most still leave their systems open to denial of service and …

COMMENTS

This topic is closed for new posts.
  1. James Smith

    Without ...

    Without recursion, no one would be able to resolve anything.

  2. Anonymous Coward
    Boffin

    Bind

    Hint: use 'djbdns' instead of BIND. Dan Bernstein, its author, actually *guarantees* its security:

    http://cr.yp.to/djbdns/guarantee.html

    It can do everything BIND can do (except where BIND violates various RFCs, in which case Dan has maintained compliance).

    I have personally compiled and run it on Solaris, Gentoo and FreeBSD. Currently we are running it in production on a second-hand SUN Box running a port of FreeBSD.

  3. Anonymous Coward
    Anonymous Coward

    surprise surprise - 123reg offer recursive lookups

    It should come as no surprise that ns.123-reg.co.uk. and ns2.123-reg.co.uk currently advertise that they will do recursive lookups. In practice they don't (at least not from my IP) which is probably more luck than planning. However even indicating that they'll do this will generate a bunch of such requests their servers could surely do without and may expose vulnerabilities.

  4. Anonymous Coward
    Anonymous Coward

    Well it is too complex and the tools aren't much better.

    I've not touched DNSSEC for a while following a RIPE course where my overall impression of DNSSEC was unworkable and I haven't seen anything to make me jump into it since.

    Regarding recusion, mapping networks and so on - doesn't DNSSEC have this as part of the proposal, ie: chained records (next, previous etc) ?

  5. Anonymous Coward
    Happy

    Not true

    Internal servers should be recursive, external should not be recursive. If its the same dns server then it should only recurse for internal networks.

    Thats how mine work and everything works just fine.

  6. Anonymous Coward
    Dead Vulture

    DNSSEC - done. now waiting

    heck, configured SPFa long time ago. configured DNSSEC a long time

    ago - now just waiting for all those sites that I peer from to actually catch up.

    the problem with both of these technologies is that theres no major change

    or improvement to the average end user...until probably the 95 percentile

    at which point the last dregs of DNS-based scams and pharming will be done.

    oh. the servers are also doing 1/3 of their lookups using IPv6

    did this survey check IPv6?

  7. Chris Harden

    *guarantees* security?

    "Dan Bernstein, its author, actually *guarantees* its security:"

    Then he dosn't know much about security then, does he?

  8. system

    Slight error

    "Should an organisation’s DNS systems fail, all internet functions including email, web access, e-commerce, and extranets become unavailable."

    Not entirely accurate. Should DNS fail, only those transactions relying on domain names will fail. Most services can continue to work just as well with IPs instead.

    It's certainly not the same as all internet functions becoming unavailable.

  9. Anonymous Coward
    Anonymous Coward

    It's a Bounty

    Surely that's a bounty - not a guarantee?

This topic is closed for new posts.