Bind in FreeBSD, security advisories
Mark Felder
feld at FreeBSD.org
Tue Jul 30 12:57:43 UTC 2013
On Tue, Jul 30, 2013, at 7:45, Garrett Wollman wrote:
>
> There are plenty of situations in which a remote recursive resolver is
> untrustworthy. (Some would say any situation.) It doesn't have to be
> BIND, but people do legitimately want the normal DNS diagnostic
> utilities, which sadly have been tied together with BIND for some
> years now. (I don't know why anyone would ever use nslookup(1), but
> host(1) and dig(1) are pretty much essential.)
>
If you're that paranoid about a remote resolver you'd have to be
paranoid about someone doing a MITM on your DNS lookups altogether,
since even having your own local recursor can't protect you from that as
99% of the web doesn't use DNSSEC. This will quickly turn into a
security yak-shaving contest, but I completely understand your
viewpoint.
I'd vote for keeping the bind utilities in base; I use them every day.
The ones provided with unbound work well, but finger memory...
More information about the freebsd-stable
mailing list