Bind Security

"BIND is open source nameserver software and TZO does not use BIND. According to the SANS Institute, BIND is the number one security vulnerability on the Internet. We developed our own nameserver software so we could provide an added level of reliability for our TZO users. The TZO nameserver software is compliant with all appropriate specifications and RFCs."

"Second, and unlike most other DNS providers, we do not use BIND. BIND, the Berkeley Internet Name Domain system, was developed at University of California at Berkeley as a graduate student project. It's free and many other DNS service providers use BIND. According to the SANS Institute, BIND is the number one security vulnerability on the Internet."

"BIND has been repeatedly and successfully attacked by hackers over the last few years and Internews has frequently written about BIND attacks. The Computer Emergency Response Team Coordination Center has published 12 documents since 1997 detailing vulnerabilities in BIND, lending itself to the reputation of sometimes being called the Buggy Internet Name Daemon. In addition to the hacker attacks, a study by Keynote estimates that nearly 2% of DNS queries are dropped due to BIND."

Quote for TZO.com
Thought it was interesting, wonder how true it is.

It's all quite true in a slightly biased way. For sure many BIND exploits have been found over the years. Now consider why. What DNS server are hackers trying hardest to find exploits in? BIND of course cause it's the most popular. Also, it makes sense that if you develop your own piece of software that is is more *secure*. Why? Cause even if it does have exploits, nobody knows about them, and nobody cares since so few people use that software. Also, it's possible that the DNS server you developed is more simple. Doesn't have nearly as many features which makes it easier to keep secure.

Also, in the case of a BIND, security is kind of a moot point. You can configure BIND to run within a chroot jail where it has no real permissions. Even if somebody were to exploit it, there's nothing they can do if you keep a tight system and don't give named access to write to anything but log files. Also, there are no known exploits that I know of for the last few versions of BIND. If one was found, then you upgrade to the fixed version.

There's a reason why BIND is the most popular DNS server. It does a better job of following, and a more complete job of following the RFC standards which attempt to make all DNS server software interoperable.

So based on MY perhaps biased view, if security is what you're worried about, BIND is still ok. There are no known exploits and a smart system administrator has nothing to fear from BIND exploits anyway.

There are other reasons as to why you may want to kick BIND out the window. Read the following link about djbdns:

http://lwn.net/2001/features/djbdns.php3

It's very objective - not biased at all. I also read about features I never knew djbdns had. Even though it still doesn't have features that BIND does (including some features I require for my business) it has the important ones and now I think tinydns isn't so bad. dnscache however has long been what I consider to be a superior alternative to BIND in the caching server area. Especially due to performance under seriously high load. The guy remarked about a mailing list scenario. Well, some guy hired me to create a resolver for his web crawler cause BIND was choking on huge amounts of memory for cached information. So I know first hand the problems BIND may have in such scenarios. I've also always liked the idea of separate binaries taking on separate roles.

djbdns is the second most popular DNS server out there.