Re: [security] Re: Using BIND in a chroot enviro?
also sprach Dossy (on Sun, 01 Jul 2001 10:10:42PM -0400):
> No. IIRC, 53/tcp is also used for DNS queries (not just XFER's)
> when the size is larger than the RFC specifies for the UDP-based
> payload. Or, some such type of edge-case of the DNS spec.
uhm - which is only the case if you slave a windoze 2k dns server?
everything else adheres to the standard, right? i run a couple of
BIND9 installations and port 53/tcp is blocked at the firewall or by
iptables other than for the 3-6 slaves that AXFR transfer zone data.
> Just my two cents. I current run two copies of BIND9 on my
> DNS server -- one copy for the Internet/DMZ and one for my
> intranet, so that I only expose DNS for the hosts I want
> to advertise on the 'net, but have full/complete DNS for
> all of my intranet hosts only visible from behind the
> firewall. And, both BIND9 instances run in a chroot jail.
doesn't BIND9 allow you to do that in one instance? it's one of the
new features, advertising zones according to interfaces. so you can
run one BIND9 that's an official NS to the outside, but which also
serves your zone lookups to the intranet - without interfering with
one another.
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
--
dimmi in 10 secondi i nomi dei 7 re di roma, in ordine
decrescente di data di morte del figlio secondogenito,
in rot13... o faccio fuori la directory /dev !!!
Reply to: