David Luner wrote:
> On Thu, 03 Aug 2006 19:26:34 +0200, Frank Fegert
> <fra.nospam.nk@gmx.de> wrote:
>
>
>>Michael James wrote:
>>
>>>I'm hoping that you may be able to help me with a debate I've been
>>>having with a colleague of mine. He believes that by NOT configuring
>>>the /etc/resolv.conf for DNS resolution, the AIX system has tighter
>>>security, and less likely to get hacked.
>
> ...
>
>>Enabling name resolution via DNS won't expose your
>>system directly, as opposed to e.g. running a world
>>accessible DNS server on the system.
>
> ...
>
> So, as usual, administration is easier if the security is lower. One
> alternative is to set up your system to run its own name server and
> perform zone transfers. This alleviates the adminsitrative burden,
> possibly improves DNS resolution performance and limits your security
> exposure to the zone transfer process.

And how does that improve security, i wonder? The zone
transfer doesn't come out of thin air. So you're still
exposed to the risk, that your or your providers name
server, which participates as a master in the zone
transfer, sends malicious data to the slave name server
running locally.
I've actually seen this several times. The nameservers
are not secured at all. Every host in the company de-
pends on them, even machines in the DMZs. They never
get a downtime to update the name server software and
are running something horrible as 4.x versions of BIND
or even worse ...

Regards,

Frank