Slaving root zone?

Terrence Koeman root at mediamonks.net
Wed Sep 5 23:17:32 UTC 2001 

The MS-DNS service is running in it's own unprivileged account. The only
services running are:

IPSEC Services
Secondary Logon
SSH-NT
DNS Server
DNS Client
Checkpoint Firewall1

Not even Server or Workstation.

All the tools are gone (format, xcopy, etc) and the DNS Server account has
only write access to D:\WINNT\SYSTEM32\DNS\ and read access to some files
(not whole directories).

Zone transfers are per default off, and the number of queries is limited by
CPU/RAM/Bandwidth

The only thing I need to do when I switch to BIND is remove MS-DNS, install
BIND and remove some read permissions.

Regards,

Terrence Koeman

-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]On
Behalf Of Danny Mayer
Sent: Thursday, September 06, 2001 00:54
To: root at mediamonks.net; Marc C Storck; bind-users at isc.org
Subject: RE: Slaving root zone?



At 03:55 PM 9/5/01, Terrence Koeman wrote:
>OK, lets make things clear. I'm currently running MS-DNS, which slaves '.'
>perfectly.

[snip]

>The DNS server I'm running is a rootserver for this root and is also a full
>public resolver (recursive). It consists of 2 load-balanced servers and
>handles about 50 million queries a day.
>
>If I'm gonna change to BIND, it has to be able to slave the zone '.'. In
>_general_ it has to be able to slave the zone '.', because it is just
>another zone!
You hadn't explained that in your previous post.  As soon as BIND 8.2.5
becomes
available, you'll need to upgrade.

You'll also need to take other measures to protect your system from attack,
including running named in it's own account without Administrators group or
privileges in that group, rather than the default LocalSystem, placing the
BIND
files on an NTFS disk and adding ACL's to protect them, removing all other
applications that are not absolutely essential to running the system,
removing
all protocols except TCP/IP and limiting queries and zone transfers.

There's a lot of other things you need to do, but that's a start.

         Danny

More information about the bind-users mailing list