Re: Securing bind..
On Sun, 30 Dec 2001, Russell Coker wrote:
> On Sun, 30 Dec 2001 22:02, jernej horvat wrote:
> > On Sunday 30 December 2001 18:46, P Prince wrote:
> > > The eaisest and most failsafe way to secure bind is to install djbdns.
> > If you have nothing to say - do not speak.
Heh, I didn't send a blank message. The point was clear. It was not a
> Perhaps a discussion of the relative merits of djbdns and bind is in order.
> I wanted to move to djbdns at one time, but it was too painful. Everything
> had to be redone (the config files were all incompatible), the documentation
> was inadequate, and there was no good amount of support on the net.
Of course the config files are incompatible - djbdns's file format is far
The documentation is excellent - and simple, because the system is simple.
> Has djbdns improved since then?
I don't think djbdns has ever been at the level you suggest.
I strongly *strongly* suggest that anyone considering setting up DNS, be it
BIND or djbdns, check out Daniel Bernstein's site on the subject,
> > Securing DNS:
> > http://www.psionic.com/papers/dns/
> 2.4.x kernels support the --bind option to mount which avoids the syslogd
> hackery described in this URL. Also the authbind method supported by Debian
> is much more powerful and useful than using the chuid() functionality in
> bind. Both these things aren't mentioned.
> > Cricket Liu's presentation on how to secure BIND:
> > http://www.acmebw.com/papers/securing.pdf
> I disagree with the supposed security benefits of disabling zone transfers,
> it's just security by obscurity. Also when idiots read such advice and take
> it to heart it gets in the way when you have a genuine need for zone
What is wrong with security by obscurity? It's an excellent strategy, albeit
not a complete one.
> http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
> http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
> http://www.coker.com.au/projects.html Projects I am working on
> http://www.coker.com.au/~russell/ My home page
> To UNSUBSCRIBE, email to firstname.lastname@example.org
> with a subject of "unsubscribe". Trouble? Contact email@example.com