Submission + - DNS All Over the Place
Juha Holkkola writes: "On November 15, SANS published 2006 annual update of the Top-20 Internet Security Attack Targets (www.sans.org/top20/). Each year, some of the most security conscious organizations all over the world help SANS in compiling this list based on severe vulnerabilities that have been discovered during the last 12 months or so. If any network service or product that has made this list has been more or less safe for more than 12 months, it gets dropped out.
What strikes me the most with SANS's Top-20 is that DNS and BIND have made the list every single year since SANS started publishing it in 2000. That's every year for seven years now. And so, one would imagine that the networking community would finally like to do something to address the associated security problems, DNS being one of the most critical TCP/IP services and all.
As some information security experts have recently pointed out, network administrators often shun away from interfering DNS as that could potentially have dire implications on functioning networks. I guess what they mean by this is that as DNS is one of the few applications that dates back to the pre-firewall-era of Internet, managing and securing DNS is like having a pet dinosaur. It's really not that cute and you'd really prefer not to touch it at all.
Pet talk aside, perhaps the time has come to take the bull by the horns? While DNS and plain BIND may be somewhat cumbersome to secure and to manage, there are also more advanced options out there that make protecting and managing DNS servers a walk in the park."