Stuart D. Gathman wrote:
o I was originally daunted by the thought of 'a custom DNS server', but
server people have pointed me to code that makes setting one up in Python
trivial. This is good enough for me right now. A VM prevents buffer
overflow in the custom code, and if the interpreter doesn't run strings
through /bin/sh behind your back (leaving Perl out, I think), security
of the custom code will be reasonable. Ultimately, the
security of a custom DNS would be improved by having the front line DNS
server proxy requests to a back end server that is not directly available
to the public. A simple port redirector would allow the custom DNS
server to be effectively sandboxed now - if no standard DNS runs on the
same host.
1: Perl does not run strings through /bin/sh behind your back. Please
google for "taint checking" for endless discussion of Perl security.
2: The easiest way I know of to do custom DNS is to periodically rewrite
the configuration file for a DJBDNS tinydns installation and have the
tinydns re-read the configuration file. This approach also works with
BIND of course, but IMVIACFO* tinydns zone files are easier to write
programatically.
--
davidnicol(_at_)pay2send(_dot_)com
"There's a fine line between participation and mockery" -- Scott Adams
*Vastly Inflated And Coffee Fueled