What's the project's policy regarding bind9 updates?
-
In considering whether to move bind9 service to our new pfSense firewall pair, I see that currently pfSense is providing bind 9.10.4-P2. There have been several rounds of security patches since then, and bind 9.10.4 is currently on P5.
Is it right to conclude that if our local policy requires keeping up with security patches, it's best not to run bind9 on pfSense, but instead put it on a VM behind it, running a distro with the resources to respond quickly to updates?
Is there a statement of policy somewhere on which packages pfSense makes it a point to keep up with patches on, and which it is likely to ignore between updates of the base pfSense distro itself?
-
Is it right to conclude that if our local policy requires keeping up with security patches, it's best not to run bind9 on pfSense, but instead put it on a VM behind it, running a distro with the resources to respond quickly to updates?
My opinion is that you don't want to run bind on your firewall.
The question of patching should be in the package subforum, as bind (beyond the cmd line tools) is not a part of the base. Some of the packages are outdated because there is no current maintainer. I'm not sure of the status of the bind package. -
If 9.10P2 is way too old for you, perhaps use 2.3.3 which has 9.11.0P2.
(Other than that, I hope you are not running a public DNS on your firewall.)
-
Don't run BIND on your firewall if you can help it. BIND is a massive overkill to be used just as a resolver and for a real authoritative server you should be using professional DNS hosting services and not host DNS yourself (unless you're really really good at BIND and DNS).
-
While I agree with not hosting your own public.. If you need a authoritative name server other than just a resolver then bind would be the way to go ;) Its not overkill by any means if what you need is authoritative name services.. Most setups large enough or complex enough to need/want that would have dns already setup and wouldn't need to run it on their firewall ;) if you ask me.
But there are always going to be one off's and such..
I personally would not host public dns off my own connection anyway, and if I was I wouldn't run it on my firewall ;) But I have run it in the past for local dns..
-
Well i was kind of forced to setup bind as a resolver and authoritative local dns because of this: https://redmine.pfsense.org/issues/5413. Later I've set up a hidden master on a different view for my public domain. I see no problem in hosting your own hidden master….just my 2 ¢.
