Installing bind is not very clear for me
/dev/rob0
rob0 at gmx.co.uk
Fri Sep 4 17:12:17 UTC 2015
On Thu, Sep 03, 2015 at 11:02:23PM +0200, Reindl Harald wrote:
> Am 03.09.2015 um 22:59 schrieb Robert Moskowitz:
> >On 09/03/2015 04:35 PM, Leandro wrote:
> >>Ok ...
> >>I got BIND 9.10.2-P3 working.
> >>I compiled with
> >>
> >>./configure --with-openssl --enable-threads --with-libxml2
> >>--with-libjson
> >>make
> >>make install
> >>
> >>Json statistics channel is working and chroot is not longer
> >>mandatory.
> >
> >But do make sure you have selinux enforced. Or run behind
> >multiple firewalls...
>
> behind *multiple firewalls* - ?!?! - oh come on and get serious
> instead promote snakeoil -
I quite agree here. Firewalls that attempt to filter DNS have
terrible reputations for *breaking* DNS. A single firewall is bad
enough; multiple firewalls sounds like a disaster.
> typically BIND is *not* running as root and hence does not need
> any special handling compared to any other network service
I don't know if we can say what is "typical". We can say, for
running on Linux at least, that running as root is safe. A
compromised named would get root after having dropped superuser
privileges, so it wouldn't be able to do much.
Regardless, again I quite agree that special handling is not
necessary. Look at the various BIND9 security announcements over
the years. When have you seen one which involved a compromise of
any kind?
I cannot say with authority that BIND9 has never had a compromise,
but I am confident in saying I have never seen one.
https://www.isc.org/blogs/summer_security_vulnerabilities/ is a
recent blog posting which discusses this in detail.
> get rid of the horror stories from the 1990's..............
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
More information about the bind-users
mailing list