Re: Securing bind..

To: debian-security@lists.debian.org
Cc: debian-user@lists.debian.org, debian-isp@lists.debian.org
Subject: Re: Securing bind..
From: Thomas Seyrat <thomas@glou.net>
Date: Sun, 30 Dec 2001 19:15:53 +0100
Message-id: <[🔎] 20011230191553.B1083@lise.hsc.fr>
In-reply-to: <[🔎] Pine.LNX.3.96.1011230091206.4175A-100000@trillian>; from jorel@trillian.megadodo.umb on Sun, Dec 30, 2001 at 09:17:46AM -0600
References: <[🔎] 20011230133413.3A4B334B18@lyta.coker.com.au> <[🔎] Pine.LNX.3.96.1011230091206.4175A-100000@trillian>

Jor-el wrote:
> > Another possibility is to have the port for outgoing connections be something 
> > other than 53 (54 seems unused) and use iptables or ipchains to block data 
> > from the outside world coming to port 53.
[...]
> 	Of course, in the case of DNS servers, you could be OK, since you
> do want to lessen the number of folks who use your services (right?). But
> in general, I consider this to be poor advice.

  That is perfectly true.

  In fact, restricting access to the (recursive) nameserver should be
  considered not only in a matter of IP filtering but also in BIND's own
  configuration (using allow-query and allow-recursion sets).

  Authoritative name serving is a totally different matter, since you
  can not predict the source adress.

-- 
Thomas Seyrat.

Reply to:

References:
- Re: Securing bind..
  - From: Russell Coker <russell@coker.com.au>
- Re: Securing bind..
  - From: Jor-el <jorel@trillian.megadodo.umb>

Prev by Date: Re: fetchmailconf problem
Next by Date: Parallelport trouble...?
Previous by thread: Re: Securing bind..
Next by thread: Re: Securing bind..
Index(es):
- Date
- Thread