Re: Dynamic DNS services and other DNS contortions

In article <iCy*7sYDr@xxxxxxxxxxxxxxxxxxxxxxxxxxx>,
Theo Markettos <theom+news@xxxxxxxxxxxxxxxxxxxxxx> wrote:
Nick Leverton <nick@xxxxxxxxxxxx> wrote:
This is just a quick thought based on your comment about already running
BIND yourself. Not really researched in depth - in particular I'm not
sure if BIND is secure enough to run DDNS over the internet, even though
it does have cryptographic keys for authorisation and has been rewritten
at least once in recent years. You could get round that with a tunnel
of some sort but then it's more complicated.

Interesting. What are the vulnerabilities? You mean that some keep being
found in BIND? Any other secure non-noddy DNS servers out there? I'm not
terribly wedded to BIND, it's just what I had to hand.

I should say at the outset I'm not a BIND expert (except for DDNS, I
otherwise use the controversial djbdns), but there's a handy reference of
BIND vulns here: http://www.isc.org/index.pl?/sw/bind/bind-security.php

As you see it includes some from BIND 9 as well as the old, weak BIND 8
and earlier. I'd welcome more info from a real live user though as to
whether the BIND 9 ones are actual exploitable vulns or whether they're
the sort of thing that depends on already 0wning root. Probably worth
reading anyway just to confirm your version has the fixes.

Nick
--
http://www.leverton.org/ ... So express yourself
.