On 06/16/2014 03:57 PM, James wrote: > >> There's a video of DJB at the 27c3 conference floating around where he >> discusses some of this stuff. Some of his points shouldn't be taken >> seriously, but it's entertaining nevertheless. > > I thought DJB was mostly deprecated. He's still preaching dns security, > yet does not update his offernings? Interestingly strange. >
He's a security researcher, not a system administrator. Most of his software is in the public domain if someone wants to maintain it. And while it's getting long in the tooth, e.g. djbdns still has one of the best track records for security -- you just won't get any new features. > Sven is great. So just the generic hardened remedies, nothing > special to DNS servers or services, from my quick parse of his > documents on hardened? Nothing specific to DNS, no. > Sven's also into "selinux". I see no selinux policies > or rules. Maybe I should drop him a line about selinux related to > dns primary servers? Surely a selinux policy for a primary only > selinux dns server would been keen? Not needed ? Overkill ? > I was going to read up a bit, before asking him questions I should > have discovered from robust research on the subject...... I personally don't use SELinux, so my opinion is "overkill." But that opinion is highly colored by a lazy reluctance to learn how it works. > > Ah, you've added to this iptables listing: > > http://wiki.gentoo.org/wiki/BIND/Tutorial > No! There's a dangerous mistake on that page that I've just fixed. This line, iptables -A INPUT -p tcp --sport 53 -j ACCEPT puts a big hole in your firewall for anyone smart enough to attack you from port 53.