Installing bind is not very clear for me
Leandro
ingrogger at gmail.com
Fri Sep 4 18:41:19 UTC 2015
I think that regarding security issues, is better to prevent as much as
possible.
Here we have two different opinions:
People that agree to use firewall and people against (or arguing that is
not necessary):
I would like to hear both and then decide. If we share our points maybe
can get a better conclusions
So I would like to learn about firewall techniques to protect a DNS.
And for people against firewall , wich are the security considerations
to take in order to protect the service without firewall.
Regards.
Leandro.
On 04/09/15 14:27, Mike Hoskins (michoski) wrote:
> On 9/4/15, 1:12 PM, "bind-users-bounces at lists.isc.org on behalf of
> /dev/rob0" <bind-users-bounces at lists.isc.org on behalf of rob0 at gmx.co.uk>
> wrote:
>
>
>> On Thu, Sep 03, 2015 at 11:02:23PM +0200, Reindl Harald wrote:
>>> Am 03.09.2015 um 22:59 schrieb Robert Moskowitz:
>>>> On 09/03/2015 04:35 PM, Leandro wrote:
>>>>> Ok ...
>>>>> I got BIND 9.10.2-P3 working.
>>>>> I compiled with
>>>>>
>>>>> ./configure --with-openssl --enable-threads --with-libxml2
>>>>> --with-libjson
>>>>> make
>>>>> make install
>>>>>
>>>>> Json statistics channel is working and chroot is not longer
>>>>> mandatory.
>>>> But do make sure you have selinux enforced. Or run behind
>>>> multiple firewalls...
>>> behind *multiple firewalls* - ?!?! - oh come on and get serious
>>> instead promote snakeoil -
>> I quite agree here. Firewalls that attempt to filter DNS have
>> terrible reputations for *breaking* DNS. A single firewall is bad
>> enough; multiple firewalls sounds like a disaster.
>
> True, have fixed many of those over the years, though in fairness this is
> often a matter of expecting to run a firewall (or anything) "out of box"
> without understanding the config. If that's the stance of the admin, you
> likely have a lot more to worry about security-wise than named chroot. :-)
>
>
>>> typically BIND is *not* running as root and hence does not need
>>> any special handling compared to any other network service
>> I don't know if we can say what is "typical". We can say, for
>> running on Linux at least, that running as root is safe. A
>> compromised named would get root after having dropped superuser
>> privileges, so it wouldn't be able to do much.
>
> I probably misunderstand your response or am reading too much into the
> wording. Named doesn't run as root due to -u giving up permissions. That
> combined with the fact chroot itself has known shortcomings is why it's
> fallen out of BCP amongst name server operators. It's not that anyone
> suggests the alternative to chroot is to just run as root. You are still
> running as a non-privileged user post-startup, and permissioning things
> appropriately to minimize damage in the event of a compromise.
>
>
>> Regardless, again I quite agree that special handling is not
>> necessary. Look at the various BIND9 security announcements over
>> the years. When have you seen one which involved a compromise of
>> any kind?
>>
>> I cannot say with authority that BIND9 has never had a compromise,
>> but I am confident in saying I have never seen one.
>
> I appreciate the viewpoint, and I can even agree with it, but the past is
> not necessarily a key to the future. The reality is none of the nastiest
> 0-days were ever expected. As a security professional you try to insulate
> against potential risks, not just things you have already observed. It's
> up to each operator to determine appropriate cost/benefit, and this is not
> an argument for chroot, but I do caution against an "I've never seen it
> before so wouldn't worry about it" stance on security.
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list