Tip: Personal DNS server for Windows XP free !

Danny Mayer mayer at gis.net
Fri Jan 10 23:27:46 UTC 2003


At 10:41 AM 1/10/03, ObiWan wrote:

>Danny Mayer <mayer at gis.net> wrote in message 
>news:<aucvbq$afmt$1 at isrv4.isc.org>...
>
> > BIND-PE is the win32 port of BIND 9.2.1 with some changes. I've only
> > seen a few of the changes that they made so I can't tell if they are less
> > secure than BIND 9.2.1. The exception to this is that they are saving
> > cache to disk on shutdown and reloading it on startup. This makes them
> > more vunerable in cache poisoning attacks and shouldn't be done as there
> > is no real performance advantage in keeping the cache for an individual
> > user. I don't think that they did anything to make it more secure.
>
>Hi Danny, the BIND-PE is not a simple "port" as you say,

My reference was to my work in porting to Win32. I don't know what
additional changes that you made since I haven't seen them.

>  many pieces
>of code were changed or even completely rewritten to take advantage
>from the win32 O/S function,

Can you give an example?

>  regarding security in general we made
>some extensive tests (well some people did) using a whole bunch of
>DNS exploits against BIND-PE and till now it seems ok;

If you identified security problems and made fixes can you forward them?
Security fixes should be fed back into the BIND source pool for everyone's
benefit.

>  regarding the
>cache persistence, keep in mind that the program is mainly focused
>on Win32 desktop machines; such machines are frequently shutdown or
>rebooted,

I can't imagine why. I keep my machines running for months at a time
without having to shutdown or reboot.

>  so keeping cache contents makes sense since many records
>(such as mail servers addresses, web sites addresses and so on) will
>be kept for a relatively long time (TTL *is* honoured) and this helps
>speeding up things a little;

It's hard to imagine how much you are going to speed things up, you
don't get enough traffic to make any noticeable difference.

Danny

>  regarding the usage of alt-roots, the
>choice was somewhat forced since ICANN does not allow zone transfers
>nor does it give a zone file, so if you want to setup a "local" root
>slave (unlinked one btw) the only solution is to use an alt-root zone
>in any case such a config worked well enough till now and the internet
>doesn't seem to have been broken at all

I'm not sure how one is related to the other. The root zone is always
available and you can always set up your own local root.

Danny



More information about the bind-users mailing list