From owner-freebsd-questions@FreeBSD.ORG Sat Jan 25 21:03:52 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EB43BAF7 for ; Sat, 25 Jan 2014 21:03:52 +0000 (UTC) Received: from bs1.fjl.org.uk (bs1.fjl.org.uk [84.45.41.196]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 4E4AD1699 for ; Sat, 25 Jan 2014 21:03:51 +0000 (UTC) Received: from [192.168.1.35] (host86-163-127-175.range86-163.btcentralplus.com [86.163.127.175]) (authenticated bits=0) by bs1.fjl.org.uk (8.14.4/8.14.4) with ESMTP id s0PL3mRC000197 (version=TLSv1/SSLv3 cipher=DHE-DSS-CAMELLIA256-SHA bits=256 verify=NO) for ; Sat, 25 Jan 2014 21:03:49 GMT (envelope-from frank2@fjl.co.uk) Message-ID: <52E426B8.3080905@fjl.co.uk> Date: Sat, 25 Jan 2014 21:03:52 +0000 From: Frank Leonhardt User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: Why was nslookup removed from FreeBSD 10? References: <52E40CC4.6090401@fjl.co.uk> <201401252137.50132.mark.tinka@seacom.mu> <52E41619.1000505@fjl.co.uk> <20140125202038.125a4264@gumby.homeunix.com> In-Reply-To: <20140125202038.125a4264@gumby.homeunix.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.17 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Jan 2014 21:03:53 -0000 On 25/01/2014 20:20, RW wrote: > On Sat, 25 Jan 2014 19:52:57 +0000 > Frank Leonhardt wrote: > > >> As you and Waitman both pointed out, nslookup IS part of BIND, yet as >> I said in the diatribe following the question in my post, so is >> "host" and that's still there. > >From the host manpage: > > COMPATIBILITY > host aims to be reasonably compatible with `host' utility from > BIND9 distribution, Yes - I read that too, and assumed it means it's a derived work until I'd checked the source code. It's contributed, but part of ldns and not bind. By removing bind from the base system in favour of ldns based stuff, it could mean that its just the case that no one wrote an ldns version of nslookup or dig; only host. This is one of my theories as to the answer. It's worth noting that one of the criticisms I've heard of nslookup has been that it DOESN'T use BIND as a resolver and works in its self-contained way, and is therefore not valid as a DNS (meaning BIND) debugging tool. However, it should mean that it's stand-alone - hence the Windoze port (which used to contain incriminating strings showing it was pinched from BSD!) So if you prefer a slightly rephrased question: Why has someone written "host" for FreeBSD 10.0 but neglected to provide nslookup (or dig)? As to Matt's comment that "almost half of all the security vulnerabilities in the entire lifetime of the FreeBSD project have been from BIND. Personally, I'd say that's "pretty spectacular."" - I'd say that's these security vulnerabilities are more to do with DNS the protocol rather than BIND the implementation. Whoever would have thought that criminals would have got their hands on computers? By removing BIND and not replacing it with anything (apart from a local resolver) will, I guess, meet your security needs. But I'm talking about nslookup, not the whole of BIND and all its utilities. I've never heard of a security problem with nslookup. Except, of course, with the Micro$soft version ;-) There must be a discussion about how the decision was taken somewhere, mustn't there? If there isn't, its looking like an accident. Regards, Frank.