On 2006-08-03, Michael James <dritzz721@verizon.net> wrote:

> I'm hoping that you may be able to help me with a debate I've been
> having with a colleague of mine. He believes that by NOT configuring
> the /etc/resolv.conf for DNS resolution, the AIX system has tighter
> security, and less likely to get hacked.

This is true. In fact, this has already caused a problem back in 2002.
A bug in the BIND resolver (also used on AIX, if I remember correctly) was
remotely exploitable. (See http://cr.yp.to/djbdns/res-disaster.html)

Having a firewall didn't help: when you had a nameserver in
/etc/resolv.conf that had access to outside data (perhaps not even directly),
you were vulnerable.

--
Jurjen Oskam

Savage's Law of Expediency:
You want it bad, you'll get it bad.