[ Date Index ][
Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
Uhhho, On Wednesday 10 April 2002 1:32 pm, Jon Still wrote:
Try telling that to the ISC, Nominium, IANA or any of the other folks who run the root nameservers. From what I know from my source at ISC/Nominium, the root nameservers are BIND 9.
they are also behind the highest securty networks, routers and packet filters you will ever meet; they also run on some very very juicy hardware :)
I bet your one of those weird people who runs djbdns aren't you *duck* :)
Ouch! you just found my funnybone and hit it with a hammer :) I've been watching the dns talks on here recently and managed to keep my mouth shut for the sake of sanity, i even tried to write something about it before and the power failed just as I was about to send it :) Ohhh yes - djbdns all the way, I've had variuos run ins with BIND. It crased regulalry, sucked lots of memory, and has more holes than anyhtign i've ever known. It was also hacked and hacked to hell to fix all the bugs found to the point just fixing one bug would cause another one. A few years back i knew and worked with a large hosting company, and one of the services they offered were RaQ's (eww, yes) - from cobalt. They all came installed with BIND on their dodgy Redhat/Cobolt mess of linux, and updated themselfes daily from a central server, so software was always up to date. You can probably guess where this is leading - every single one of their boxes (about 3,000 of them) had been hacked by a script, the root password changes, and a back door installed. Yumm. ISC didn't even know about the vunrability at this point. Thats just one story I know of first hand, their are many, many more that are bind related. BIND is vunrable to lots of things, even when it is secure, cache positiong is a big one. bind9 users report it crashing on portscans, and writing over zone files. Based on binds expoit history, the chances of their being a remote root exploit in it within any one year is somethign silly like 500% ;) How many lines of code are their in bind 9? how mnay are there in bind 8? how many are there in djbdns? how much memory does 12.5k records take up once loaded into memory with bind and djbdns? djb also offers a $500 dollar to someone who finds an explot in djbdns, something which still has not been claimed a few years later. It's never had a security problem. bind9, although it is a complete re-wrtite still has lots of problems, it just isn't secure - look at the latest changelog for bind9's release history too see, from people I know and have worked with, i know It crashes just as much or in some cases more than bind8, it eats lots of memory and can't handle the huge load it's sometimes needed to handle. in a major percentage of DoS attacks i deal with, the unix boxes involved in the attack are running bind.. in nearly all of the rooted boxes i deal with for customers, it's because of a bind vunrability Sad but true. In the eyes of any serious security manager or sysadmin i know, bind is a real joke, it certianly is to me. Yeah, djb is a tosser [1] and i really don't like what i know of him or the attitude he shows, but one good thing about him is the code he writes, it's some of the best around, certianly very secure, compact, and maintainable. The only other thing about djbdns is it's license, which is a bit odd, though not a problem to anyone running it, just distributing it/changes. I have had dnscache running for over a year now on some of our reverse servers (and that was only restarted because of a kernel upgrade) , I have not had to touch it *once*, and they often handle over 400 lookups a second. Its still only using 2mb ram a year later. Can anyone claim that for bind? one copy of tinydns i'm running is using under 2 mb of ram for 11,543 records. it's also a lot faster/non-cpu-intensive than BIND - how mnay lookups per second can BIND handle, and how many secs CPU does it use for that? In my eyes, anyone running bind (or sendmail or wu-ftpd) should have their license to run anyhting on internet revoked - not to menton you need three degrees in astrophysics to configure it :) *duck* :p Hey - dns-server wars i've known are almost as vicious as editor wars (*shouting out* LONG LIVE NANO!) :)) ~ theo, the bind hater ;) [1] - For the some entertainment, take a look at the thread at: <http://www.monkey.org/openbsd/archive/ports/0108/msg00459.html> -- Theo Zourzouvillys Research and Development Notnet Limited If you learn one useless thing every day, in a single year you'll learn 365 useless things. -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.