Separation of authoritative and recursive functions

Kevin Darcy kcd at daimlerchrysler.com
Thu Jul 7 21:28:15 UTC 2005 

Brad Knowles wrote:

>At 9:08 PM -0400 2005-07-05, Kevin Darcy wrote:
>
>  
>
>> As for the relative merits of separating the functions by view,
>> listen-address or physical server(s) (irrespective of the
>> one-program-or-two issue), opinions differ widely on that, and each
>> admin/architect needs to decide for himself/herself, based on their
>> specific security/availability/performance requirements,
>> fiscal/facility/address-space constraints, support infrastructure, etc.
>>    
>>
>
>	One advantage to using separate machines, or at least separate 
>instances of BIND, is that if there is a leak inside the code, you 
>could potentially wind up with a situation where one view is somehow 
>poisoned by data from another view.  Separate instances of BIND or 
>separate machines will guarantee that doesn't happen.
>
With all due respect, that's kind of a FUD argument, isn't it? I mean, 
has there ever been a serious "view leakage" problem with BIND 9? If 
there was, I certainly don't remember it. Sounds like you're describing 
a purely theoretical possibility.

In any case, if "view leakage" is the specific vulnerability to be 
protected against, one can always go the "middle road" and run separate 
nameserver instances on separate interfaces of the same box(es). That's 
still less drastic than devoting different boxes or sets of boxes to the 
different functions.

Let's not forget that installing, configuring and maintaining separate 
boxes brings with it its own set of security challenges: that's more 
boxes to keep patched up to date, more boxes to write firewall rules 
for, more complexity on one's network, etc. Simply put: more chances to 
screw something up and create a vulnerability. Aren't most 
vulnerabilities caused by misconfigurations as opposed to bad code?

I still say there is no one simple answer that works for all 
organizations. There are a number of factors that need to be considered 
and traded off from one another. In our case, for instance, we have 
multiple levels of security, so even in the worst case if someone were 
to break into one or our Internet-facing nameservers, they still 
wouldn't be able to access any of our internal DNS information. Sure, 
they'd be able to DoS us, vandalize/corrupt our zone data, give false 
answers to our lookups, etc., which is certainly bad, but at least our 
internal data is hidden from their sight, so that's one less thing we 
need to protect against, except in the general ways that we protect 
against *all* forms of unauthorized access to our resources. Given this, 
I have no problem running authoritative-nameserver and 
iterative-resolver functions as separate views within the same 
nameserver instances on those boxes.

- Kevin

More information about the bind-users mailing list