Re: Using BIND in a chroot enviro?

To: Dossy <dossy@panoptic.com>
Cc: debian-security@lists.debian.org
Subject: Re: Using BIND in a chroot enviro?
From: Tim Haynes <debian@stirfried.vegetable.org.uk>
Date: 02 Jul 2001 08:46:25 +0100
Message-id: <[🔎] 87lmm7wz72.fsf@stirfried.vegetable.org.uk>
Reply-to: debian@stirfried.vegetable.org.uk
In-reply-to: <[🔎] 20010701221042.A3934@panoptic.com>
References: <[🔎] 20010701221042.A3934@panoptic.com>

Dossy <dossy@panoptic.com> writes:

> On 2001.07.01, Tim Haynes <debian@stirfried.vegetable.org.uk> wrote:
>
> > If it's Bind security you're worried about, btw, can you not firewall
> > out 53/tcp altogether as well?
> 
> No. IIRC, 53/tcp is also used for DNS queries (not just XFER's) when the
> size is larger than the RFC specifies for the UDP-based payload. Or, some
> such type of edge-case of the DNS spec.
> 
> Could you filter out 53/tcp and "not really notice"? Sure. Could there be
> times you try to resolve something (or, rather, someone tries to resolve
> against your DNS server) and it fail for some reason? Quite possibly.

How often do your queries return over 150-odd byte long results? 

IOW, that's `for the most part, you CAN filter it straight out and you
won't miss a beat'. Unless you really know what's going off...

~Tim
-- 
    8:45am  up 1 day,  5:59,  5 users,  load average: 0.49, 0.59, 0.65
piglet@stirfried.vegetable.org.uk |You take your message to the waters,
http://piglet.is.dreaming.org     |And you watch the ripples flow

Reply to:

References:
- Re: Using BIND in a chroot enviro?
  - From: Dossy <dossy@panoptic.com>

Prev by Date: Re: ipchains
Next by Date: IPTABLES SOS
Previous by thread: Re: Using BIND in a chroot enviro?
Next by thread: Re: [security] Re: Using BIND in a chroot enviro?
Index(es):
- Date
- Thread