Reading today's news story about DNS vulnerabilities made me realise that, actually, the OS vendors (notably the Linux vendors) have recently realised that the DNS servers they ship are really quite attractive for hackers.

We've all been securing our email servers for ages - disabling relaying, turning on SMTP authentication, and so on - because a server that has by its nature to be accessible to the public is potentially vulnerable. Yet it's been easy to forget that a DNS server is (assuming you're running your own DNS to publish your domain records rather than simply using your ISP's) another necessarily public machine.

Just recently I've run up a couple of Fedora Linux servers for clients, and both have had the DNS server daemon turned on simply to act as a forwarding server (i.e. to do lookups of external names for internal machines). In both cases, the DNS servers have, initially, steadfastly refused to answer any queries at all - and when I've looked into it, that's been because the default setting of the DNS service on Fedora Core 6 is "deny all". So I've had to change the security settings of the DNS server even to make it talk to things it knows are on its own subnet.

Well done, Fedora distribution people! Let's hope the rest of the OS world follows suit and remembers to secure this oft-forgotten publicly accessible service.