[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Using BIND in a chroot enviro?

On 2001.07.01, Tim Haynes <debian@stirfried.vegetable.org.uk> wrote:
> If it's Bind security you're worried about, btw, can you not firewall out
> 53/tcp altogether as well?

No.  IIRC, 53/tcp is also used for DNS queries (not just XFER's)
when the size is larger than the RFC specifies for the UDP-based
payload.  Or, some such type of edge-case of the DNS spec.

Could you filter out 53/tcp and "not really notice"?  Sure.
Could there be times you try to resolve something (or, rather,
someone tries to resolve against your DNS server) and it
fail for some reason?  Quite possibly.

Just my two cents.  I current run two copies of BIND9 on my
DNS server -- one copy for the Internet/DMZ and one for my
intranet, so that I only expose DNS for the hosts I want
to advertise on the 'net, but have full/complete DNS for
all of my intranet hosts only visible from behind the
firewall.  And, both BIND9 instances run in a chroot jail.

Works quite well for me.  I've been running like this
since BIND 4.9.6 ...

- Dossy

Dossy Shiobara                       mail: dossy@panoptic.com 
Panoptic Computer Network             web: http://www.panoptic.com/ 

Reply to: