i have a question over resolver and DNS
 

So I am trying to figure out resolver and I need to figure out how a resolver might attempt to find the IP address of the example domain? I dont know to much about a resolver and I was wondering if someone could help me.
My second question is for a project I am setting up and I need to figure out which part of the DNS is most vulnerable to an attack from a malicious user and why is this? I need to have a reason for this so if anyone could help me on this too, it would be greatly appreciated.
Thanks

For an explanation maybe start with Name Service and Resolver Configuration?


See www.cve.mitre.org, www.kb.cert.org, securityfocus.com and secunia.com and do some research using terms like DNS and vulnerability, Paul Vixie, Dan Kaminsky, Dancho Danchev


...which should give you a cornucopia of reasons, ranging from "simple" privilege escalations in software and 'net infrastructure crippling Root Server DDoS and identity theft to spoofed DNS recursion attacks, rebinding and cache poisoning attacks. (Also see 'net "economy" as in Russian Business Network, shadowserver as in botnet stats, shady marketing, typo-squatting, malware distribution.)

...and bear in mind that DNS != Bind (ie, there are alternatives).

Good one, I could have said that...

If you were trying to say "I said that first", I'll also throw in this example from '07:

http://www.linuxquestions.org/questi...?highlight=dns

More seriously, I don't know why so many people think DNS is exactly equivalent to bind. Setting up Bind can be a bit of a pain, particularly when its chrooted and the history of Bind is not one that gives you a great deal of confidence that the current version is free of significant bugs.

Something like djbdns/dnsmasq/maradns/pdns is a better bet (imho) in simpler set ups, although there can still be a case for the Bind 'swiss army knife' for some of the more involved set-ups.

And, for a secure installation, with Bind, I think that you should know who is your security specialist, and that they check for security advisories on a very frequent basis.

This may be overkill for a small installation.

You may think I'm being paranoid (and you may be right), but most of the effort in trying to develop exploits seems to be expended against Bind rather than the alternatives and so I'm a bit more relaxed about the security situation with, say, djbdns than Bind.

I guess you will have to decide which DNS implementation you want to use, before figuring out the resolver mechanism. As for the attack issues - this seems rather to be a firewall/router topic, since these are better suited to deal with attacks. I would assume to have name servers always behind a firewall, it should be quite rare to have a name server as the only computer in an office. Otherwise putting 'named' in a jailroot seems to be quite common as a precaution move.

Debian

Not necessarily; understanding the protocol first seems like a very valid first step and that helps whichever resolver you eventually decide on.

I'm sorry, but not completely. If you look at the kaminsky exploit (for example here http://blog.invisibledenizen.org/200...ly-leaked.html or, for those of a more techie bent, here http://www.securiteam.com/exploits/5DP0L15OUY.html) the mechanism is such that the DNS resolver seems to be doing the kind of thing that a DNS resolver should be doing, so its unclear what a firewall should be doing to stop that (without breaking all of DNS).

If you have a blacklist of all those involved in the exploit, you could use that with your firewall ruleset, but isn't curing the fundamental problem better?