Re: Securing bind..
On Sun, 30 Dec 2001 11:18, Petre Daniel wrote:
> Well,i know Karsten's on my back and all,but i have not much time to
> learn,and too many things to do at my firm,so i am asking if one of you has
> any idea how can bind be protected against that DoS attack and if someone
> has some good firewall for a dns server ( that resolves names for internal
> clients and also keeps some .ro domains) please post it to the list.. both
> ipchains and iptables variants are welcome..
> thank you.
Which DOS attack are you referring to?
For making bind secure I suggest running it as non-root using authbind and
build your kernel with OpenWall, LSM, or GRSecurity so that stack overflows
don't get anywhere. Then have a script to restart it if it dies.
Also don't allow recursion from outside machines.
Another possibility is to have the port for outgoing connections be something
other than 53 (54 seems unused) and use iptables or ipchains to block data
from the outside world coming to port 53.
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/projects.html Projects I am working on
http://www.coker.com.au/~russell/ My home page