Re: Using BIND in a chroot enviro?

To: Jamie Heilman <jamie@audible.transient.net>
Cc: debian-security@lists.debian.org
Subject: Re: Using BIND in a chroot enviro?
From: Tim Haynes <debian@stirfried.vegetable.org.uk>
Date: 02 Jul 2001 10:12:01 +0100
Message-id: <[🔎] 86r8vzu23i.fsf@potato.vegetable.org.uk>
Reply-to: debian@stirfried.vegetable.org.uk
In-reply-to: <[🔎] 20010702013349.A6340@audible.transient.net> (Jamie Heilman's message of "Mon, 2 Jul 2001 01:33:49 -0700")
References: <[🔎] 86r8w0k57x.fsf@potato.vegetable.org.uk> <[🔎] 20010701221042.A3934@panoptic.com> <[🔎] 20010701204730.B5985@audible.transient.net> <[🔎] 20010702055546.A4667@shockwave.wavekind.bofh-crew.de> <[🔎] 20010702013349.A6340@audible.transient.net>

Jamie Heilman <jamie@audible.transient.net> writes:

> > forget it.
> > 1. non-free
> 
> Certainly, that is something to consider, if your prejudice is that way
> bent. I tend to judge software more on its technical merit than on its
> distribution policies. 

Hmmmm. I dislike the word `prejudice' there, even if it does sum my
approach to non-free up very well. Technical merits are of stuff-all use if
the software can't be redistributed freely in sensible packages.

> At any rate, maradns is of similar design, and it is DFSG compliant, if
> you want yet another alternative.

Yes. (I've been thinking about experimenting with this, but can't atm.)

> > 2. author write like "alle shit then my"
> 
> Uh, sure.

Whatever the quote means, I don't need *another* DJB-war barely a fortnight
after the last one.

> You clearly don't understand what this person was asking for, or what
> dnscache is capable of. There seem to be a lot of people waving the
> 53/tcp flag lately like its some kind of huge bogon that you have to
> watch out for when you're building your firewall rules. 

It's something to consider, as you say, given the assorted criteria. As you
say, if you decide you don't need it, you should probably firewall it off.

>      If your upstream ISP only accepts queries from source port 53, they
> are stupid and you'd be best off finding a better ISP, or just doing all
> the resolving yourself (probably more secure that way anyhow depending on
> how much you trust your upstream's DNS cache configuration).

Correct. query-source-port 53 is evil.

> If, on the other hand, you are serving DNS records to the world at large,
> you already know perfectly well if you have records over 512 bytes that
> will require tcp transport or not, or if you need to allow zone transfers
> to outside parties, so the question of if you need to allow 53/tcp is
> already decided, all you have to do is recognise that fact.

Agreed.

~Tim
-- 
There's a shrine on the Assynt hillside     |piglet@stirfried.vegetable.org.uk
Made of earth and salt and rain             |http://spodzone.org.uk/

Reply to:

Follow-Ups:
- Re: Using BIND in a chroot enviro?
  - From: Jamie Heilman <jamie@audible.transient.net>

References:
- Re: Using BIND in a chroot enviro?
  - From: Tim Haynes <debian@stirfried.vegetable.org.uk>
- Re: Using BIND in a chroot enviro?
  - From: Dossy <dossy@panoptic.com>
- Re: Using BIND in a chroot enviro?
  - From: Jamie Heilman <jamie@audible.transient.net>
- Re: Using BIND in a chroot enviro?
  - From: Bastian Blank <waldi@debian.org>
- Re: Using BIND in a chroot enviro?
  - From: Jamie Heilman <jamie@audible.transient.net>

Prev by Date: Re: Using BIND in a chroot enviro?
Next by Date: Re: [security] Re: Using BIND in a chroot enviro?
Previous by thread: Re: Using BIND in a chroot enviro?
Next by thread: Re: Using BIND in a chroot enviro?
Index(es):
- Date
- Thread