[Gllug] BIND9 Problems
Russell Howe
rhowe at wiss.co.uk
Tue Mar 1 19:00:21 UTC 2005
On Tue, Mar 01, 2005 at 05:08:08PM +0000, Alain Williams wrote:
> You may notice that my DNS also lists name servers outside my house, BIND pushes
> changes to them.
> Part of the reason that I do it this way:
The way I run it is that none of my DNS servers receive queries. The
servers listed in the NS records are all secondaries hosted by others
which slave zones from my server.
This means that I host the zones, but I don't receive any queries for
them, which really limits my vulnerability to any bind exploits that
come about.
I also run bind either chrooted or as nobody (can't remember offhand
which).
Then again, if someone gained access to one of those external servers,
they would find my DNS server would accept tcp/53 connections which may
or may not permit them to apply the same exploit to me...
Still, it prevents a casual scan, and providing network services which
can withstand a determined attacker seems to be quite nontrivial.
--
Russell Howe | Why be just another cog in the machine,
rhowe at siksai.co.uk | when you can be the spanner in the works?
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list