[SATLUG] open DNS Resolver
brad at shub-internet.org
Mon Apr 13 14:39:15 CDT 2009
on 4/13/09 2:13 PM, Bruce Dubbs said:
> The PDF's are missing and the PPTs don't seem to work for me in Open
Well, it was 2002, and I was already very experienced in this field by
that time -- I was a technical reviewer of 2nd edition of DNS & BIND.
So, the tools I had available to me at the time have probably generated
files that are no longer readable by modern programs.
I'll see if I can find local copies of the PDFs that I can re-upload, or
find out where my provider may have moved things.
>> A quick search turned up more recent articles at
> Bind was fixed over two years ago to cover this relatively exotic
> vulnerability. Just using a recent version of bind fixes it.
Go back and read that page again. This is the Kaminsky vulnerability.
This is the largest DNS vulnerability ever demonstrated on the Internet,
and is not limited to just BIND -- plenty of other programs are also
This page has numerous links to other documents, pages, and
vulnerabilities. Two documents of particular interest that it links to
are the CERT's own "Securing an Internet Name Server" (see
<http://www.cert.org/archive/pdf/dns.pdf>), and the NIST's Special
Publication 800-81 "Secure Domain Name System (DNS) Deployment Guide"
Do not casually dismiss this one with a wave of your hand.
> Discusses the issues of someone who *wants* to run a public caching DNS
> server. Applies mostly to ISPs.
Don't casually dismiss this one, either. They have lots of good links
to vulnerabilities listed at us-cert.gov, as well as other articles that
might be easier for less DNS-savvy people to understand.
Anyone who wants or needs to run a nameserver might benefit from reading
many of those articles.
<brad at shub-internet.org> If you like Jazz/R&B guitar, check out
LinkedIn Profile: my friend bigsbytracks on YouTube at
More information about the SATLUG