[Dshield] Jail and Harden DNS

Tony Earnshaw tonye at billy.demon.nl
Sun Mar 28 15:53:33 GMT 2004


lør, 27.03.2004 kl. 22.24 skrev Jon R. Kibler:
[...]

> Probably the two excuses I have heard most for not jailing and hardening named were: 
>    1) I didn't know anything about it... the O/S install instructions didn't say anything about doing it.
>    2) I tried to do chroot named, but I could never get it to work.

I don't run ISC's 9.2.3 named daemon (I continue to pronounce it
"named") chroot. I do run an iptables filter "REJECT" in front of it on
this machine (RedHat RHEL3 with several home-brewed mods), though - here
it's a caching, non-authoritative name server.

I wouldn't see any reason to run it chrooted, any more than I see any
reason to run Postfix 2.0.19 chrooted. My main reason is, that there
have never been any reported exploits with either. And many have tried
;)

As a matter of curiosity, why don't you mention the 101 other much more
susceptible daemons, starting with Apache/PHP and ending with sshd? Not
to speak of Openssl's ASN.1 and buffer overflow stuff, for which
static-compiled binaries would seem to pollute much of the exposed *nix
stuff on the Internet, at the moment?

--Tonni

-- 

mail: billy - at - billy.demon.nl
http://www.billy.demon.nl




More information about the list mailing list