On Tue, 2003-09-02 at 21:44, NfoCipher wrote: > On Tue, 2003-09-02 at 20:18, Marc Adler wrote: > > > I will, but I don't understand why running your own name server is bad. > > Could you explain that? > > > It's not bad if you're behind a firewall of some sort. Mostly a matter > of opinion. The only time you need to secure a dns server is if your > port 53 tcp is open to the world. So you're gonna have the crowd that > will say, don't run it unless you just need to, and the other side that > says, it's there, it's useful, why not use it.
Wrong. DNS uses 53/tcp for zone transfers, 53/udp for normal queries. Just because you filter against TCP doesn't mean a future remote exploit against the resolution libraries couldn't endanger your box. Marc, you can choose to listen to NfoCipher if you want, but it's obvious he doesn't have a clue. I was (until recently transferring internally) the lead DNS Administrator at Digex, Inc, one of the largest managed webhosting companies in the U.S. I think I know a thing or two about DNS. You do NOT want to run it unless it's absolutely necessary. What NfoCipher is suggesting is analogous to beating a nail with a sledgehammer. You had a simple resolution issue with your ISP's nameserver. No more, no less. > A personal caching dns server is harmless, and it comes setup like that > by default. If he's providing resolution service for *only* his network, that's generally ok... if there is a real need. Let's be serious. One more exploitable or poorly administered DNS server is something the Internet just doesn't need. -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
