DNS Firewalling with MISP and Technitium DNS Server
zaferbalkan.comI love Technitium DNS and have run it for several years now. Thanks for the contributions.
I only made two plugins. I have two half baked ones in the making. Both Shreyas and me have day jobs and this is a side quest. Overall, my contributions are about 1% of all the code, so I accept the 1% of the thanks. Kudos to Shreyas.
When I read "PDNS", I will probably always think "PowerDNS".
Yes. That's why I put the footnote there.
Well, I read that footnote, but I'm not sure if overloading the acronym is the best idea, is what I'm trying to say.
I agree with you there. But the term does not belong to me buy yo CISA and other organisations. But it's not as bad as Cyber Security Awareness Month acronym at least
“PDNS” also often refers to “Passive DNS”, never heard of “protective dns” before.
Don't get too exited - Technitium has a bus factor of one, a very small user base and no previous auditing.
Yea, I often wonder when I see this type of article, why don't they just use bind9?
No other DNS resolver is going to come close to it's number of deployment*years in operation.
I didn't read the article though, since I'm not going to enable javasript and cookies just to read someone's blag post 8-/
HTML much?
> I didn't read the article though, since I'm not going to enable javasript and cookies just to read someone's blag post 8-/
mirror: https://archive.vn/8BCBn
> why don't they just use bind9?
Because bind9 is not a dns server but a collection of all available CVE types for further studying.
I guess wikipedia doesn't agree with you:
"BIND is the de facto standard DNS server"
https://en.wikipedia.org/wiki/Comparison_of_DNS_server_softw...
9 just being the currently deployed version.
A non-wikipedia reference:
https://dn.org/a-comprehensive-comparison-of-popular-dns-ser...
Although this article does state that bind's "configuration files and options require careful attention to detail".
So, maybe it's not appropriate for the modern hype-cycle s/w development model?
In general, I don't think I'm disagreeing with you, so I'm not sure what message the reply is intended to convey.
Technitium seems like another one of those: "My weekend hobby project was to reinvent fire, and the wheel" sort of things, that seem popular on the HN feed.
My favorite feature of bind is "split views". This allows the same service to provide DNS on the local LAN, as well as authoritative DNS to the internet.
I am fan of Technitium, because I like to build and I built two plugins for it to fit my use case. But at work, we use Windows DNS and Bind in parallel. So, this is also a hobby of mine. The hook for me is that it is built with dotnet, and I have experience in that stack. Other features are secondary actually.
I am curious though, what would TDNS do so that you can replace BIND with TDNS in your homelab/workplace or wherever it is used? I genuinely ask for it so that I can help the original developer with some PRs.
> I guess wikipedia doesn't agree with you:
Are you kidding? Bind has been the de facto standard for DNS servers for ages but it's just a badly engineered piece of software and had braindead vulnerabilities for decades:
https://www.cvedetails.com/vulnerability-list/vendor_id-64/p...
Already 20 years ago it was common knowledge to never use software that Paul Vixie had touched (bind, vixie-cron, sendmail ...) and we used alternatives such as djbdns. Good old times...
After just a short search to try to come up with some numbers, I find that between 60% and 90% of internet DNS servers are running bind.
And yet somehow, the internet has much bigger problems...
Bold statement just one month after the last cache poisoning vulnerability. Bind is the Microsoft Windows of DNS servers - a lot of users and bugs nonetheless the go-to for many admins because that's what they are most familiar with. And similar to Windows, the internet mostly relies on others - none of the big companies (Meta, Cloudflare, Google, MS, Amazon, Netflix, Twitter...) use bind and neither do most hobbyists. It's just for the plethora of mid-sized companies with unmotivated admins.
The only problem there is for GDPR consent thingy. You can disable and proceed. I don't use any telemetry except for the consent banners.
When it comes to Technitium, well, it's written in the blog.
If my browser is blocking cookies, you don't need my consent, because you're not going to set any cookies.
GDPR preempted...
And yet here I am deploying it in production
You are a brave fellow!
Not so much, just old enough to do proper risk analysis and have safeguards in place.
I've played with threat intelligence to build a simple, on premises PDNS out of a privacy-focused DNS server.