Bind Software diversity
Simon Waters
Simon at wretched.demon.co.uk
Tue Aug 5 13:07:47 UTC 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ladislav Vobr wrote:
> We have three public recursive servers serving large number of
> customers. I am purposely keeping software diversity among them. So I
> have one 8.3.4 and the other two 9.2.2. I am even thinking of having
> different nameserver software to keep the code base diversity and make
> the system more resistant to different kinds of
> faults/errors/bugs/attacks. The factor of code diversity should be also
> considered, when recommending people to upgrade. Having all the
> nameservers the same, although latest release is not the best solution
> in my opinion.
First what is the consequence of a failure, since DoS against a name
server (unless protected by other means!) is relatively easy, if I
compromise one of your servers, and DoS the others, I own all your
customers DNS lookups as the clients will retry against the compromised
server.
So in this sense diversity in your own servers may make you more
vulnerable to some types of malicious activity (targetted), whilst less
vulnerable to others (worms). It also makes management activity harder
as you have three products to keep track of, instead of one.
I've tended to the view that locally it makes sense to use the most
recent version of one name server that meets your requirements for most
people, but I guess it depends what sort of service levels you expect to
provide, and what resources you have to provide it with.
I'd probably prefer DJB's DNS caching product over BIND 8 if I went away
from BIND 9, 8 just had too many major security issues.
Either way proper management is key, knowing if the server has
encountered problems as promptly as possible being a key one, along with
tracking software updates and security issues.
In my experience people issues are the biggest problem, and software
diversity makes it harder on the people. It might make sense to look for
diversity in hardware if it keeps the software looking less diverse, but
still kills most worms.
My ISP has a unicast (like?) routing strategy with fail over for DNS
servers, which has some effect on the types and consequences of attacks
possible, so don't look at DNS in isolation.
It's perfectly possible that running the latest version of the brand
leader is the best local strategy, even if it doesn't make any sense for
the Internet as a whole!
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/L6wgGFXfHI9FVgYRAokOAJ9YVOqfesPQTosnV+JVQGxJOFNTnACfST8q
N0PmNzX21KuFJia2srknvJU=
=T8RZ
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list