On Tue, Jan 18, 2005 at 08:23:23AM -0600, Rodolfo J. Paiz wrote: > It is CERTAINLY not a reason to install BIND on all desktops. Bloat, > increased resource requirements, increased security risk, slower system > response, pick your reasons... all of these are applicable and true to > some degree. Definitely true. In addition bind won't work at all through a strong firewall or worse yet can be used for systematic DoS attacks aimed at taking out NAT tracking firewalls running UDP sessions. These attacks are very well known and understood. [1] Installing bind is not a solution. Alan [1] It goes like this Your NAT box has finite resources for UDP sessions If you visit a web page I control then I can serve a page that includes an iframe reloading continually each time with a new DNS query required all of which point to a host I control. After about 60,000 dns queries (maybe only a couple of minute) you are out of UDP ports. Worse yet in many cases you will be querying my DNS server from your DNS server and making temporary holes in the firewall between the two. I can now see through your firewall in limited ways with probable port reuse going to land me access to something.