FreeBSD 7.1 and BIND exploit
Doug Barton
dougb at FreeBSD.org
Tue Jul 22 16:37:17 UTC 2008
Clifton Royston wrote:
> I also think that modular design of security-sensitive tools is the
> way to go, with his DNS tools as with Postfix.
Dan didn't write postfix, he wrote qmail.
If you're interested in a resolver-only solution (and that is not a
bad way to go) then you should evaluate dns/unbound. It is a
lightweight resolver-only server that has a good security model and
already implements query port randomization. It also has the advantage
of being maintained, and compliant to 21st Century DNS standards
including DNSSEC (which, btw, is the real solution to the response
forgery problem, it just can't be deployed universally before 8/5).
hth,
Doug
--
This .signature sanitized for your protection
More information about the freebsd-stable
mailing list