
This is the Title of the Book, eMatter Edition
Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
168
Chapter 6
CHAPTER 6
SecuringDomain Name
Services (DNS)
One of the most fundamental and necessary Internet services is the Domain Name
Service (DNS). Without DNS, users and applications would need to call all Internet
hosts by their Internet Protocol (IP) addresses rather than human-language names
that are much easier to remember. Arguably, the Internet would have remained an
academic and military curiosity rather than an integral part of mainstream society
and culture without DNS. (Who besides a computer nerd would want to purchase
things from 208.42.42.101 rather than from www.llbean.com?)
Yet in the SANS Institute’s most recent version of their consensus document, “The
Twenty Most Critical Internet Security Vulnerabilities” (Version 4.0 October 8,
2003, http://www.sans.org/top20.htm), the number one category of Unix vulnerabili-
ties reported by survey participants was BIND weaknesses. The Berkeley Internet
Name Domain (BIND) is the open source software package that powers the majority
of Internet DNS servers. Again according to SANS, “an inordinate number” of BIND
installations are vulnerable to well-known (and in many cases, old) exploits.
That there are so many hosts with vulnerabilities in an essential service is bad news
indeed. The good news is that, armed with some simple