~samiam/MaraDNS

ref: 3.5.0021 MaraDNS/doc/en/DNS.security.comparison.md -rw-r--r-- 3.9 KiB
ca00f282 — Sam Trenholme MaraDNS release 3.5.0021 5 months ago

#DNS server security comparison

Last updated: September 14, 2015

This is a tally of known CVE security issues in four of the "big five" DNS servers. BIND has too many CVE security reports for me to bother listing them all; I presume BIND users are comfortable with its security history.

As may come as a shock to some, while DjbDNS has the best history (unless you count Deadwood as a separate program), there are, in fact, security holes with its "dnscache" recursive component.

In terms of total reports, DjbDNS has only three; Unbound and NSD have 10, MaraDNS has 12, and PowerDNS has 18. Total CVSS score is similar:

Server          Total CVSS score
PowerDNS        105.6
MaraDNS          63.1
NSD/Unbound      55.3
DjbDNS           18.6
Deadwood          6.4

In terms of unpatched bugs, there are no unpatched bugs I know of at this time. No new release of DjbDNS has been made to patch its three known CVE bugs; while there are third-party forks which patch some of the bugs, the only third-party DjbDNS release with fixes for all CVE bugs is N-DJBDNS (which also fixes the two DjbDNS security bugs without CVE numbers). DjbDNS' "tinydns" authoritative-only component has no CVE security bug reports; only the "dnscache" recursive component has CVE issues.

Deadwood, MaraDNS 2.0's recursive resolver (which shares no code with MaraDNS 1), has so far one CVE bug: 2012-1570, with a score of 6.4

Of PowerDNS' 18 CVE reports, 11 affect its recursor. Eight NSD/Unbound bugs affect Unbound, the recursive resolver; there are two CVE reports for NSD. All three DjbDNS CVE reports affect dnscache, its recursive resolver.

CVE number      Score   Package                 Patched
2012-1570       6.4     MaraDNS and Deadwood    Yes
2012-0024       5.0     MaraDNS                 Yes
2011-5056       2.1     MaraDNS                 Yes
2011-5055       5.0     MaraDNS                 Yes
2011-0520       7.5     MaraDNS                 Yes
2010-2444       4.3     MaraDNS                 Yes
2008-0061       5.0     MaraDNS                 Yes
2007-3116       5.0     MaraDNS                 Yes
2007-3115       7.8     MaraDNS                 Yes
2007-3114       5.0     MaraDNS                 Yes
2004-0789       5.0     MaraDNS                 Yes
2002-2097       5.0     MaraDNS                 Yes
2012-1191       6.4     DjbDNS                  3rd-party; untested
2009-0858       5.8     DjbDNS                  Yes (No official release)
2008-4392       6.4     DjbDNS                  3rd-party
2015-1868       7.8     PowerDNS Recursor       Yes
2014-8601       5.0     PowerDNS Recursor       Yes
2014-3614       5.0     PowerDNS Recursor       Yes
2012-1193       6.4     PowerDNS Recursor       Yes (But it took over a year)
2012-0206       5.0     PowerDNS                Yes
2009-4010       7.5     PowerDNS Recursor       Yes
2009-4009       10.0    PowerDNS Recursor       Yes
2008-5277       4.3     PowerDNS                Yes
2008-3337       6.4     PowerDNS                Yes
2008-3217       6.8     PowerDNS Recursor       Yes
2008-1637       6.8     PowerDNS Recursor       Yes
2006-4252       5.0     PowerDNS Recursor       Yes
2006-4251       7.5     PowerDNS Recursor       Yes
2006-2069       5.0     PowerDNS Recursor       Yes
2005-0038       5.0     PowerDNS                Yes
2005-2302       2.1     PowerDNS                Yes
2005-2301       5.0     PowerDNS                Yes
2005-0428       5.0     PowerDNS                Yes
2012-2978       5.0     NSD                     Yes
2009-1755       5.0     NSD                     Yes
2014-8602       4.3     Unbound                 Yes
2012-1192       6.4     Unbound                 Yes
2011-4869       7.8     Unbound                 Yes
2011-4528       5.0     Unbound                 Yes
2009-4008       5.0     Unbound                 Yes
2011-1922       4.3     Unbound                 Yes
2010-0969       5.0     Unbound                 Yes
2009-3602       7.5     Unbound                 Yes