BIND vulns (good doc on how to secure bind)

To: <debian-user@lists.debian.org>
Subject: BIND vulns (good doc on how to secure bind)
From: "nate" <debian-user@aphroland.org>
Date: Tue, 12 Nov 2002 22:30:25 -0800 (PST)
Message-id: <[🔎] 6653.216.39.174.24.1037169025.squirrel@webmail.linuxpowered.net>

I don't want to get into a flamewar on whats the best DNS package
to use, but because of this recent vulnerability I decided to
re-evaluate my BIND setup, spent a couple hours researching, testing
and cleaning it up to make it more secure. A good document I
found that helped me was this:

http://www.acmebw.com/resources/papers/securing.pdf
(or for google's html version which is what I used):
http://216.239.51.100/search?q=cache:Lpi8rotBC_0C:www.acmebw.com/resources/papers/securing.pdf+recursion+bind+8&hl=en&ie=UTF-8

some other tips for making your BIND more secure:

- run in chroot (-t option)
- run as non root uid(-u/-g option)
- setup strict acls for zone transfers & queries
- use a remote syslog server and log everything to syslog
- blocking TCP/53 inbound seems to reduce exposure for the recent
vulns, according to the ISS advisory.

I hope to get the time to write a doc myself about securing bind,
so many things to do and so little time! hard to imagine i still seem
to have almost no time even though i don't have a job anymore! damn
this clock! moves too fast.

of course you can always ditch bind, which is probably a good idea
for people who do not have the time or ability to keep up to date
on the latest reports. For me, I plan to use it for the forseeable
future. together with a syslog server, IDS, NIDS, firewall, acls
and more I believe the risk(for me) is acceptable.


nate

Reply to:

Prev by Date: Re: address book for mutt
Next by Date: Re: repost - import a csv file as addressbook for mutt (abook)
Previous by thread: Re: avi2mpeg tool in linux
Next by thread: Error while installing apache
Index(es):
- Date
- Thread