New BIND server
Kevin Darcy
kcd at chrysler.com
Wed Oct 28 18:26:44 UTC 2009
Yeah, look it over, but take the zone-transfer restrictions and
version-obfuscation stuff with a bit of a grain of salt. Those parts are
a little too PHSCSE (Pointy-Haired So-Called Security Expert)-ish for my
tastes, verging on Theater. At least they finally got rid of the "bogon"
stuff.
Chroot and unprivileged, on the other hand, are _de_rigeur_ for anything
facing the Internet directly, as is view separation (or, to be more
hardcore, process-instance/listen-on or machine separation) between
recursive-resolver and non-recursive/authoritative roles.
If you're slaving, you'd also want to set up TSIG-authentication between
masters and slaves. That's not shown in the template.
- Kevin
Dixon, Justin wrote:
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
>
>
> Hello BIND users,
>
> I have setup a new Ubuntu 9.04 server with BIND9.
>
> I have looked at a few tutorial and how to’s like this one:
>
> https://help.ubuntu.com/community/BIND9ServerHowto
>
> but would like to get your tips and tricks to secure your BIND servers
> before putting it into production.
>
> Thanks,
>
> Neosys
>
> Aside from standard OS level hardening that should have already been
> done, I would recommend looking over the following:
>
> http://www.cymru.com/Documents/secure-bind-template.html
>
> Thanks…
>
> Justin
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list