Re: Using BIND in a chroot enviro?

To: debian-security@lists.debian.org
Cc: Dossy <dossy@panoptic.com>
Subject: Re: Using BIND in a chroot enviro?
From: Vineet Kumar <debian-security@virtual.doorstop.net>
Date: Sun, 1 Jul 2001 22:29:33 -0700
Message-id: <[🔎] 20010701222933.A4800@doorstop.net>
Mail-followup-to: debian-security@lists.debian.org, Dossy <dossy@panoptic.com>
In-reply-to: <[🔎] 20010701221042.A3934@panoptic.com>

I got the impression that Stefan's bind was used for caching and
forwarding only; he can safely block external access to 53/tcp.

Also, you need not run 2 separate instances of bind to get the
functionality described below. I can't tell by your description
exactly what access you're allowing to each interface, but mine looks
something like this:

the Internet can query my server for zones it's authoritative for.
localhost and anyone in the local net can query the server for caching
and forwarding to the ISP's nameservers. It's set up using a
forwarders statement and an allow-recursion statement like this:

allow-recursion { 192.168.0.0/24; localhost; };

running only one instance like this should reduce the load on your
machine as well as free up some memory.

Vineet

* Dossy (dossy@panoptic.com) [010701 19:15]:
> On 2001.07.01, Tim Haynes <debian@stirfried.vegetable.org.uk> wrote:
> > If it's Bind security you're worried about, btw, can you not
> > firewall out 53/tcp altogether as well?
> 
> No.  IIRC, 53/tcp is also used for DNS queries (not just XFER's)
> when the size is larger than the RFC specifies for the UDP-based
> payload.  Or, some such type of edge-case of the DNS spec.
> 
> Could you filter out 53/tcp and "not really notice"?  Sure.  Could
> there be times you try to resolve something (or, rather, someone
> tries to resolve against your DNS server) and it fail for some
> reason?  Quite possibly.
> 
> Just my two cents.  I current run two copies of BIND9 on my DNS
> server -- one copy for the Internet/DMZ and one for my intranet, so
> that I only expose DNS for the hosts I want to advertise on the
> 'net, but have full/complete DNS for all of my intranet hosts only
> visible from behind the firewall.  And, both BIND9 instances run in
> a chroot jail.
> 
> Works quite well for me.  I've been running like this since BIND
> 4.9.6 ...
> 
> - Dossy
> 
> -- Dossy Shiobara                       mail: dossy@panoptic.com
> Panoptic Computer Network             web: http://www.panoptic.com/ 
> 
> 
> --  To UNSUBSCRIBE, email to
> debian-security-request@lists.debian.org with a subject of
> "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>

Attachment: pgpuMqmGrJF88.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Using BIND in a chroot enviro?
  - From: Dossy <dossy@panoptic.com>

References:
- Re: Using BIND in a chroot enviro?
  - From: Dossy <dossy@panoptic.com>

Prev by Date: Re: Using BIND in a chroot enviro?
Next by Date: Re: ipchains
Previous by thread: Re: Using BIND in a chroot enviro?
Next by thread: Re: Using BIND in a chroot enviro?
Index(es):
- Date
- Thread