[Dshield] Does anyone know if this can work
Chad M Stewart
cms at Balius.com
Sun Dec 23 03:00:42 GMT 2007
Hi Mike,
If someone were to 0wn the box they could replace your zone files.
Sure the standard files are read-only, but there are ways around that.
Personally, I'd start with OpenBSD and make it a slave. Put the real
master on a secure network. Let the master send updates to the
slave, but no traffic the other way. Bind on OpenBSD is chroot'd by
default, adding another layer of defense. Of course adding pf rules
to both boxes as well, and hardening each host as well.
My $0.02
-Chad
On Dec 20, 2007, at 11:04 AM, Sahli, Mike wrote:
> Hello
> Currently I am running Bind on a windows box for my external DNS. I
> want
> to make my dns bullet proof. My thoughts are get a Linux distro
> that can
> run from a booted cd and reconfigure it to only run dns that way the
> files for my zones can not be changed. Now I figure that I will
> have to
> keep a copy of the iso and edit the files in the iso when ever I
> need to
> make a change then re burn the iso and boot to the new cd but I do not
> need to make changes that often maybe once every two or three
> months if
> that. Any thoughts and guidance will be appreciated.
>
> Michael D Sahli
> Sr. Network Engineer
> Lockheed Martin IT @ SMECO
> 301-274-4344
>
>
More information about the list
mailing list