5.7. Wrapping Up

DNS is a critical piece of any networking infrastructure. Unfortunately, its design makes it ripe for attack. FreeBSD and OpenBSD systems make excellent choices for DNS servers because of their inherent stability and additional security features, like ACLs, that can be used to secure the server. Depending on your security posture, you can choose from BIND 9 or djbdns to serve your domains. If you choose BIND, you will have a lot of management tasks automated for you. You may also need to turn off features that you are not using to improve its security. If you choose djbdns, you will not have so many features to turn off as you will have features to implement yourself. You will have to create a secure replication scheme, secure updating mechanism, and delegation procedures. You will worry less, however, about the DNS server software itself being a major source of risk for you.

Ultimately you need to consider the environment where you are using DNS. You need to consider the risks that are presented in this chapter and how your organzation might be affected by them. Then you can pick the right software and the right set of configuration options to make your DNS system fit your needs.