[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Securing bind..

On Sun, 30 Dec 2001 11:18, Petre Daniel wrote:
> Well,i know Karsten's on my back and all,but i have not much time to
> learn,and too many things to do at my firm,so i am asking if one of you has
> any idea how can bind be protected against that DoS attack and if someone
> has some good firewall for a dns server ( that resolves names for internal
> clients and also keeps some .ro domains) please post it to the list.. both
> ipchains and iptables variants are welcome..
> thank you.

Which DOS attack are you referring to?

For making bind secure I suggest running it as non-root using authbind and 
build your kernel with OpenWall, LSM, or GRSecurity so that stack overflows 
don't get anywhere.  Then have a script to restart it if it dies.

Also don't allow recursion from outside machines.

Another possibility is to have the port for outgoing connections be something 
other than 53 (54 seems unused) and use iptables or ipchains to block data 
from the outside world coming to port 53.

http://www.coker.com.au/bonnie++/     Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/       Postal SMTP/POP benchmark
http://www.coker.com.au/projects.html Projects I am working on
http://www.coker.com.au/~russell/     My home page

Reply to: