[Book/Manual] Getting Started with Ubuntu 10.04
Christopher Chan
christopher.chan at bradbury.edu.hk
Fri Jun 4 08:17:53 UTC 2010
>> I don't know about you, but whatever version of djbdns opendns.com is
>> running, it might be whacky. There should be settings for pppd to get
>> the dns server the isp provides instead of resorting to an open dns
>> caching server. If you are going to use an open dns caching server,
>> might as well use Google's.
>>
>> I'd trust Google's more than that opendns outfit.
>>
> Agreed within limits. :-)
Judge for yourself. Anybody can get a secure caching dns server by
running djbdns.
But then you have this:
http://www.your.org/djbdns/
claiming that djbdns is not safe. However, the guys involved seem to
have forgotten this:
http://www.kb.cert.org/vuls/id/800113
Dan Kaminsky who is involved in both the above is a friend of the CEO
and Founder of OpenDNS
http://blog.opendns.com/2008/07/08/opendns-keeping-you-safe/
Why pay for OpenDNS services if you can get djbdns for free? That
probably lead to the creation of that http://www.your.org/djbdns/ page
where they exaggerate how vulnerable djbdns is to poisoning/dns forgery.
The truth is, all dns caches are vulnerable which is why DJB provides no
security guarantee for dns forgery
(http://cr.yp.to/djbdns/guarantee.html) due to way the DNS protocol was
designed. Which is why today there is all this hoohaa about
DNSSEC/DNSCurve to secure things somewhat. The degree of vulnerability.
however, is very different for various implementations and as you can
see from the US-CERT page, djbdns pretty much had the best mechanisms in
place to minimize getting poisoned. But there is not much that can be
done against an attacker on the local lan. Which is how this guys can
get away with claiming that djbdns can be poisoned in a very short
amounts of time. The same can be said of any other implementation out there.
All that looks like an attempt to smear djbdns for their own profit.
More information about the ubuntu-users
mailing list