On Fri, Feb 09, 2001 at 08:32:07AM -0600, [EMAIL PROTECTED] wrote:
> Daniel,
> #Can anyone give me some hints what security measures I
> #can take to protect my (Linux-) DNS server (maybe lines
> #to add to /etc/named.conf or some online available material)?
> If you haven't done it already you will want to harden the Linux box. You
> could use bastille, CBAC, or anything else that was discusses in
> yesterday's(?) thread about securing Linux hosts. On the DNS server you
> will want to use xfernets (BIND 4) or allow-transfer (BIND 8) to limit who
^^^^^^^^
You do NOT want to use BIND 4. BIND 4 has been deprecated for
some time now. Either use BIND 8 or BIND 9. Both BIND 9.0 and 9.1 have
production releases and I definitely prefer BIND 9 over BIND 8.
> can do a zone transfer. You also may want to look at using split-DNS.
> This would entail running two primary DNS servers for your domain. One for
> internal users and one for the Internet. You only have to advertize the
> specific hosts you want the Internet to be able to reach by name. I
> recommend getting the DNS and BIND 3rd Edition by O'Reilly. Chapter ten is
> on security. You can also find some stuff about security at
> http://www.isc.org/products/BIND/. Hurry up before they start making you
> pay for it=)
You might want to also take a look at Rob Thomas' Secure BIND
Template. You'll find that here:
http://www.cymru.com/~robt/Docs/Articles/secure-bind-template.html
His announcement to the FIRST-teams mailing list is attached below
(Rob has granted permission for redistribution).
> Regards,
> Jeffery Gieser
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
===========================================================================
From: Rob Thomas <[EMAIL PROTECTED]>
Reply-To: Rob Thomas <[EMAIL PROTECTED]>
Date: Sat, 3 Feb 2001 21:19:25 -0600 (CST)
Subject: Secure BIND Template version 2.1 released
Message-ID: <[EMAIL PROTECTED]>
Hello, teams.
I have just released version 2.1 of the Secure BIND Template. THis
version includes two key updates:
1. Added additional libs to support chroot BIND 9.1.0 running on
Solaris.
2. Added a modified version of LaMont's CHAOS class zone trick.
The CHAOS class trick will allow you to select who may query the
version.bind (and authors.bind) records, as well as the string
returned by such queries. Further, queries by disallowed hosts
will be logged.
You will find the template here:
http://www.cymru.com/~robt/Docs/Articles/secure-bind-template.html
I had received a suggestion to include my context diffs to server.c.
I've opted not to do that, as most DNS admins aren't likely willing
to undertake code changes. It seems to me that the configuration
files are the best place to make such changes.
Comments and feedback are always welcome! Get your suggestions in
early to win a free pint of your favourite beverage at the February
TC. :-)
Thanks!
Rob.
--
Rob Thomas
http://www.cymru.com/~robt
cmn_err(CE_PANIC, "Out of coffee...");
-+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+
This message was posted through the FIRST mailing list server. If you
wish to unsubscribe from this mailing list, send the message body of
"unsubscribe first-teams" to [EMAIL PROTECTED]
DO NOT REDISTRIBUTE BEYOND MEMBERS OF FIRST TEAMS UNLESS THE AUTHOR OF
THIS MESSAGE GRANTS EXPRESS PERMISSION TO REDISTRIBUTE
-+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
