BIND vulns (good doc on how to secure bind)
I don't want to get into a flamewar on whats the best DNS package
to use, but because of this recent vulnerability I decided to
re-evaluate my BIND setup, spent a couple hours researching, testing
and cleaning it up to make it more secure. A good document I
found that helped me was this:
(or for google's html version which is what I used):
some other tips for making your BIND more secure:
- run in chroot (-t option)
- run as non root uid(-u/-g option)
- setup strict acls for zone transfers & queries
- use a remote syslog server and log everything to syslog
- blocking TCP/53 inbound seems to reduce exposure for the recent
vulns, according to the ISS advisory.
I hope to get the time to write a doc myself about securing bind,
so many things to do and so little time! hard to imagine i still seem
to have almost no time even though i don't have a job anymore! damn
this clock! moves too fast.
of course you can always ditch bind, which is probably a good idea
for people who do not have the time or ability to keep up to date
on the latest reports. For me, I plan to use it for the forseeable
future. together with a syslog server, IDS, NIDS, firewall, acls
and more I believe the risk(for me) is acceptable.